Skip to main content
Skip table of contents

SAML authentication failures

This article provides guidance and troubleshooting tips for addressing SAML authentication failure issues in Smart ID Digital Access component.

SAML (Security Assertion Markup Language) authentication can fail for various reasons, ranging from configuration errors to network issues. This article contains information about some common causes and scenarios where SAML authentication might fail.

Configuration errors

  • Both the Identity Provider (IdP) and Service Provider (SP) must exchange and correctly configure metadata. If the metadata is outdated or incorrectly configured, authentication will fail.

  • SAML relies on digital signatures to ensure the integrity and authenticity of messages. If the certificates are expired, mismatched, or incorrectly configured, the authentication will not succeed.

  • The endpoints (URLs) for the IdP and SP must be correctly configured. Mismatches or incorrect URLs can cause failures.

Time synchronization issues

SAML relies on timestamps for security purposes. If the clocks on the IdP and SP servers are not synchronized, assertions might be considered invalid. This is often resolved by using NTP (Network Time Protocol) to keep servers' clocks in sync.

Incorrect user permissions

  • If the user does not have the correct permissions or attributes configured in the IdP, they may be denied access by the SP.

  • SAML assertions include user attributes. If these are not correctly mapped between the IdP and SP, authentication might fail.

Invalid or tampered SAML assertions

Any tampering with the SAML assertion will cause signature verification to fail, leading to authentication failure.

Errors in SAML response handling

  • If the SP cannot correctly parse the SAML response from the IdP, authentication will fail.

  • The response might be invalid due to errors in the SAML message format or content.

Troubleshooting Steps

Checking the policy service audit logs is an essential first step when troubleshooting authentication failures. These logs often provide detailed information about the authentication process, including errors and warnings that can pinpoint the exact cause of the failure. You can also check the following steps for thorough troubleshooting.

  1. Review logs on both the IdP and SP for error messages and detailed information about the failure.

  2. Ensure that all configuration settings, including URLs, certificates, and attribute mappings, are correct.

  3. Ensure that all servers involved have synchronized clocks.

  4. Confirm that the metadata exchange is current and correctly configured.

  5. Ensure that certificates are valid and properly configured on both ends.

Related information

SAML 2.0 federation in Digital Access

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.