Troubleshooting SAML connections

There are some common issues and errors that can occur when connecting a SAML identity provider to PE, such as failed redirects, rejected communications, and failed group binding.

Tip: In the case of any SAML connection errors, check the SAML configurations in both PE and your identity provider.

Failed redirects

Redirects fail (with a 404 error code) when there are mismatched URLs between PE and the identity provider. Depending on where the redirect occurs, there are two possible ways to fix this:
  • If the redirect fails when going from the identity provider to PE, fix the mismatched URLs in your identity provider's SAML configuration.
  • If the redirect fails when going from PE to the identity provider, fix the mismatched URLs in your PE SAML configuration.

Rejected communication requests

If PE or the identity provider rejects communications or returns an error, check the console-services.log file (located at /var/log/puppetlabs/console-services/console-services.log) for details about the communication failure.

Usually, this means there are mismatched certificates for PE and the identity provider, and that you need to reconfigure the certificates.

Failed user-group binding

If users aren't binding to their assigned groups, or if user permissions are missing, make sure:
  • There isn't a mismatch in attribute bindings. Check the attribute binding values in your identity provider and PE SAML configurations.
    Tip: If unknown attributes appear in output logs at the debug level, this can be an indication of mismatched attribute bindings.
  • The group export is incorrect in your identity provider's configuration.

SAML error messages

These are common PE error messages related to SAML and how you can troubleshoot them.

Expected login bindings <BINDING> in attributes and it wasn't present.
The identity provider didn't provide a specified login attribute for the user.
Check your identity provider configuration.
Multiple login bindings found in attributes and only one expected.
The identity provider supplied multiple login entries in the assertion but only one entry is allowed.
Check your identity provider configuration.
User \"{0}\" has been revoked and is unable to login
Either an administrator manually revoked the user's account in PE or RBAC automatically revoked the user's account.
RBAC usually automatically revokes users when the user has no recent activity. This is based on the account-expiry-days parameter. For more information, refer to Configure RBAC and token-based authentication settings.
If the account was manually revoked, contact the administrator who revoked the account.
SAML library errors
There are various SAML library errors, which are identified by their namespace.
Sometimes these errors are recorded in the console-services.log file.
These errors usually indicate a malformed payload, mismatched entity-id, or an untrusted certificate.