Table of contents
Topics on this page
General checks
User and group association
Certificate expiration
Tracing
Group does not map to any roles
SAML response failed
Mapping is not working
Error not_a_saml_app
Error while creating an Identity Provider configuration
Browser developer console

Troubleshoot SAML setup

General checks

  • Verify the attribute statements are valid and have been mapped correctly in Trend Cloud One.
  • Check for trailing spaces. There should not be any trailing slashes in the URLs configured in the service provider.

User and group association

Ensure that your user or group is assigned to the application you created.

Certificate expiration

If you were able to successfully login previously but are now unable to do so, check to see if your certificate has expired.

Tracing

Download a SAML tracer extension for your browser and follow the tracer during your SSO test. You can view the SAML assertions made and try to pinpoint any issues through that trace.

Group does not map to any roles

The group you specified in your identity provider configuration inside Trend Cloud One does not match any claims sent from your identity provider, therefore Trend Cloud One cannot map any roles for that user.

This can also happen if your group claim is improperly set up or if you are using the incorrect value inside your identity provider configuration. Check for case sensitivity and valid URLs.

Another reason that this could happen is because a role the user was mapped to has been removed from Trend Cloud One. The administrator of the account will need to update the role configuration in the Trend Cloud One identity providers page.

SAML response failed

If you encounter this condition (typically when hitting the /idpresponse endpoint), then you need to trace the SAML response and check if there are any missing values. You should have a name ID in your subject and your attribute statement values should match what you have defined. For example, a healthy-looking subject would be similar to the following:

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">foobar</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData NotOnOrAfter="2022-02-18T20:14:41.945Z" Recipient="https://saml.cloudone.trendmicro.com/idpresponse"/>
  </SubjectConfirmation>
</Subject>

And healthy-looking attribute statements would be similar to the following: 

<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>foobar</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>foobar</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>foobar</AttributeValue>
    </Attribute>
</AttributeStatement>

Names and specific values differ depending on the identity provider.

Mapping is not working

This could be for any of the following reasons:

  • The mapping you provided in your identity provider configuration does not match your mapping in your service's active directory or vice versa. You can check your attribute statements from your SAML response using a tracer to verify. Make sure the Attribute Name is what you entered in your identity provider configuration and that the Attribute Value is populated/correct.

  • The value in your service's active directory could be an invalid format for timezone or locale. See the attributes claims guide for more information.

  • If you have multiple accounts with the same identity provider configuration and you provided mappings for one configuration but not the other then Trend Cloud One will not know which one to use. Please ensure mappings are filled out across all identity provider configurations.

Error not_a_saml_app

This is specific to Google SSO. If you just enabled your app and are trying to login, you need to log out and clear your cache. Then log back in as the user that you are testing with. If you continue to get this error then you may need to wait a few minutes for Google to associate with your new application.

Error while creating an Identity Provider configuration

This can be for many reasons. The most common reason is that your XML is invalid. Check to make sure that it is the correct metadata file.

You cannot upload metadata with the same Entity ID as a previously uploaded metadata file.

Browser developer console

Your browser’s developer console can contain additional information that may be useful to include when filing a support case. Open the console, and then open the Network tab. Keep it open and retry any previously failed operation. Then view the response to any failed request for further information. You can load this information by pressing F12 on your keyboard while inside your browser.