SAML Troubleshooting

This article addresses common troubles that arise when setting up SAML Authentication and how to solve them.
 
Attention for those who are using Active Directory Federation Services (ADFS) 2.0 as your Identity Provider (IdP), when you log out of kintone, if you access kintone again on the same Web browser, you may find yourself on the page that you would expect to see after you log in. This is due to the ADFS cookies. Even though this page is displayed, you should have successfully logged out of kintone. Please restart your browser before accessing the platform again.

SAML Authentication Errors

Error Code Error Message Cause Solution
SLASH_SA01 No user account for that NameID found. No user could be found on kintone, with the same login name as the NameID in the SAML Response.
  • Change the settings of your IdP, so that the NameID is set as the element to identify the user.
  • Match the user’s login name on kintone with the value of the NameID.
SLASH_SA02 Corresponding AuthnRequest not found. This happens in the following cases.
  • Multiple SAML requests were issued in one session.
    Example:
    • Multiple tabs were open on the Web browser, that were all trying to SSO.
    • After the SSO, the endpoint URL of kintone was attempted to be accessed by clicking the "Back" button of the Web browser.
  • An IdP initiated SSO was taken place.
  • Do not let your browser send multiple SAML requests in one session.
  • Change the settings of your IdP so that an SP initiated SSO will take place.
SLASH_SA03 The SAML response is not found in the request parameter. There was no SAML response in the request parameter that the IdP sent to kintone. Check if there is anything that is stopping the SAML response from being sent.
SLASH_SA04 Invalid SAML Response The Response element in the SAML response was invalid. Check the settings of the field where the verification result was reported as "Failed". Also refer to the following. Checking the Verification Results for the SAML Response
SLASH_SA05 Invalid HTTP method. Use POST as the HTTP method. The SAML response was not sent by HTTP POST Binding.
  • Change the settings of the IdP so that the SAML response is sent by HTTP POST Binding.
  • Check if the HTTP method is being sent by POST or not using a proxy server.
SLASH_FA01 Failed to process SAML Response. SAML response could not be processed due to an unexpected error. Please contact us.

Checking the Verification Results for the SAML Response

Try the following operations, if the below verification results return as "Failed":

  • If Assertion contains a Conditions statement, it must contain a valid timestamp.
    The datetime settings for the IdP and kintone may be different.
    Change the settings on the IdP so that it displays the correct datetime.
  • InResponseTo attribute matches AuthenRequest ID.
    Multiple tabs may have been open on the same Web browser, that were all trying to SSO at the same time. Check if the error still occurs when logging into kintone with just one tab.
  • The Audience value is correct.
    An invalid entity ID may have been set when registering kintone as the SP.
    https://(your domain name).kintone.com needs to be set as the entity ID for the SP.
  • At least one of the signatures in Assertion or Response elements exists. All entered signatures are valid.
    The public key certificate may be invalid. Attach a valid certificate on the "Certificate" section on the kintone Administration page. This must be a X.509 certificate generated with either the RSA or DSA algorithm.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.