Troubleshooting SAML connections

There are a few common issues and errors that occur when connecting a SAML identity provider to PE, like failing redirects, rejected communications, and failed group binding. Review your PE and identity provider SAML configurations to fix these issues.

Failed redirects

Redirects fail with a 404 when there are mismatched URLs between PE and the identity provider. Depending on where the redirect occurs, you can fix it in one of two ways:
  • If the redirect fails from the identity provider to PE, fix the mismatched URLs in the identity provider SAML configuration.
  • If the redirect fails from PE to the identity provider, fix the mismatched URLs in the PE SAML configuration.

Rejected communication requests

If PE or the identity provider rejects communication or gives an error, check /var/log/puppetlabs/console-services/console-services.log for more information about why the communication failed. Typically, the certificates for PE and the identity provider don't match and must be reconfigured.

Failed user-group binding

If users aren't binding with their assigned groups, or if user permissions are missing, it might be one of two issues:
  • There is an attribute binding mismatch. Check attribute binding values in your identity provider and PE SAML configuration. Attribute binding mismatches also cause unknown attributes to appear in output logs at the debug level.
  • The group export is incorrect in your identity provider configuration.

SAML error messages

These are common PE error messages related to SAML.

  • "Expected login bindings <binding> in attributes and it wasn't present."

    The identity provider didn't provide the login attribute for the user. Check your identity provider configuration.

  • "Multiple login bindings found in attributes and only one expected."

    The identity provider listed multiple login entries in the assertion and only one entry is allowed. Check your identity provider configuration.

  • "User \"{0}\" has been revoked and is unable to login"
    One of two things occurred:
    • An administrator manually revoked the user's account in PE.
    • RBAC automatically revoked the user's account. This usually happens when there is a lack of recent activity, based on the value set for the account-expiry-days parameter. See Configure RBAC and token-based authentication settings for more information.
  • SAML library errors

    There are various SAML library errors, which can be identified based on their namespace. These errors usually indicate a malformed payload, mismatched entity-id, or an untrusted certificate. Errors might also appear in the console-services.log file.