This article addresses common troubles that arise when setting up SAML Authentication and how to solve them.
Attention for those who are using Active Directory Federation Services (ADFS) 2.0 as your Identity Provider (IdP), when you log out of kintone, if you access kintone again on the same Web browser, you may find yourself on the page that you would expect to see after you log in. This is due to the ADFS cookies. Even though this page is displayed, you should have successfully logged out of kintone. Please restart your browser before accessing the platform again.
SAML Authentication Errors
|Error Code||Error Message||Cause||Solution|
|SLASH_SA01||No user account for that NameID found.||No user could be found on kintone, with the same login name as the NameID in the SAML Response.||
|SLASH_SA02||Corresponding AuthnRequest not found.||This happens in the following cases.
|SLASH_SA03||The SAML response is not found in the request parameter.||There was no SAML response in the request parameter that the IdP sent to kintone.||Check if there is anything that is stopping the SAML response from being sent.|
|SLASH_SA04||Invalid SAML Response||The Response element in the SAML response was invalid.||Check the settings of the field where the verification result was reported as "Failed". Also refer to the following. Checking the Verification Results for the SAML Response|
|SLASH_SA05||Invalid HTTP method. Use POST as the HTTP method.||The SAML response was not sent by HTTP POST Binding.||
|SLASH_FA01||Failed to process SAML Response.||SAML response could not be processed due to an unexpected error.||Please contact us.|
Checking the Verification Results for the SAML ResponseTry the following operations, if the below verification results return as "Failed":
- If Assertion contains a Conditions statement, it must contain a valid timestamp.
The datetime settings for the IdP and kintone may be different.
Change the settings on the IdP so that it displays the correct datetime.
- InResponseTo attribute matches AuthenRequest ID.
Multiple tabs may have been open on the same Web browser, that were all trying to SSO at the same time. Check if the error still occurs when logging into kintone with just one tab.
- The Audience value is correct.
An invalid entity ID may have been set when registering kintone as the SP.
https://(your domain name).kintone.com needs to be set as the entity ID for the SP.
- At least one of the signatures in Assertion or Response elements exists. All entered signatures are valid.
The public key certificate may be invalid. Attach a valid certificate on the "Certificate" section on the kintone Administration page. This must be a X.509 certificate generated with either the RSA or DSA algorithm.