Table of contents

Troubleshooting SAML setup guide

General checks

  • Verify the attribute statements are valid and have been mapped correctly in Cloud One.
  • Check for trailing spaces. There should not be any trailing slashes in the URLs configured in the service provider.

User/group association

Ensure your user and/or group is assigned to the application you created.

Certificate expiration

If you were able to successfully login previously but are now unable to do so, check to see if your certificate has expired.

Tracing

Download a SAML tracer extension for your browser and follow the tracer during your SSO test. You can view the SAML assertions made and try to pinpoint any issues through that trace.

Group does not map to any roles

The group you specified in your identity provider configuration inside Cloud One doesn't match any claims sent from your identity provider, therefore Cloud One cannot map any roles for that user.

This can also happen if your group claim is improperly setup or if you are using the incorrect value inside your identity provider configuration. Check for case sensitivity and valid URLs.

Another reason that this could happen is because a role the user was mapped to has been removed from Cloud One. The administrator of the account will need to update the role configuration in the Cloud One identity providers page.

SAML response failed

If you get this (typically when hitting the /idpresponse endpoint), then you need to trace the SAML response and check if there are any missing values. You should have a name ID in your subject and your attribute statement values should match what you've defined. For example, a healthy looking subject looks like this:

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">foobar</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData NotOnOrAfter="2022-02-18T20:14:41.945Z" Recipient="https://saml.cloudone.trendmicro.com/idpresponse"/>
  </SubjectConfirmation>
</Subject>

And healthy looking attribute statements look like this (Names and specific values will differ depending on the identity provider):

<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>foobar</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
    <AttributeValue>foobar</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>foobar</AttributeValue>
    </Attribute>
</AttributeStatement>

Mapping is not working

This could be for any of the following reasons:

  • The mapping you provided in your identity provider configuration does not match your mapping in your service's active directory or vice versa. You can check your attribute statements from your SAML response using a tracer to verify. Make sure the Attribute Name is what you entered in your identity provider configuration and that the Attribute Value is populated/correct.

  • The value in your service's active directory could be an invalid format for timezone or locale. See the attributes claims guide for more information.

  • If you have multiple accounts with the same identity provider configuration and you provided mappings for one configuration but not the other then Cloud One will not know which one to use. Please ensure mappings are filled out across all identity provider configurations.

Error: not_a_saml_app

This is specific to Google SSO. If you just enabled your app and are trying to login, you need to log out and clear your cache. Then log back in as the user that you are testing with. If you continue to get this error then you may need to wait a few minutes for Google to associate with your new application.