Troubleshooting SAML connections
Sections
There are some common issues and errors that can occur when connecting a SAML identity provider to PE, such as failed redirects, rejected communications, and failed group binding.
Failed redirects
- If the redirect fails when going from the identity provider to PE, fix the mismatched URLs in your identity provider's SAML configuration.
- If the redirect fails when going from PE to the identity provider, fix the mismatched URLs in your PE SAML configuration.
Rejected communication requests
If PE or the identity provider rejects communications
or returns an error, check the console-services.log
file (located at /var/log/puppetlabs/console-services/console-services.log
) for details
about the communication failure.
Usually, this means there are mismatched certificates for PE and the identity provider, and that you need to reconfigure the certificates.
Failed user-group binding
- There isn't a mismatch in attribute bindings. Check the attribute binding
values in your identity provider and PE SAML
configurations.Tip: If unknown attributes appear in output logs at the debug level, this can be an indication of mismatched attribute bindings.
- The group export is incorrect in your identity provider's configuration.
SAML error messages
These are common PE error messages related to SAML and how you can troubleshoot them.
- Expected login bindings <BINDING> in attributes and it wasn't present.
- The identity provider didn't provide a specified login attribute for the user.
- Multiple login bindings found in attributes and only one expected.
- The identity provider supplied multiple login entries in the assertion but only one entry is allowed.
- User \"{0}\" has been revoked and is unable to login
- Either an administrator manually revoked the user's account in PE or RBAC automatically revoked the user's account.
- SAML library errors
- There are various SAML library errors, which are identified by their namespace.