Troubleshooting SAML SSO

Running SSO in debug mode will help you troubleshoot your integration.

An attribute is missing, or was mistyped

In the following sample error message, the name of the attribute configured for the user's email address was named email, but that doesn't exist in the saml message. In this example, MAIL is the name of the correct attribute.

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identify provider. Missing attribute: email. Given attributes: [MAIL, title, companyname, FIRSTNAME, LASTNAME]  
"Missing attribute" field in an error message is blank

If you see a message like this:

com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identify provider. Missing attribute: . 

 

Jive is trying to sync a single name as Firstname and Lastname. To work around this problem, set the system property saml.nameField to the same attribute the first name is populated from.

Authentication works on some nodes, not others

You may discover that the certificates in the metadata for each node are different: Jive metadata won't be the same on each node and so authentication will succeed on some nodes and fail on others. To verify that the same key is being used on each node, go directly to the path /saml/metadata for each node. This problem occurs when Storage Provider file system caching is enabled. To disable it, go to System > Settings > Storage Providerand click Edit. Then select No under Cache Enabled.

"Responder" message.

If you get any status message in this format:

            <samlp:Status>  
            <samlp:StatusCode  
            Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
            <samlp:StatusMessage>something_is_wrong</samlp:StatusMessage>  
            </samlp:Status>  

this indicates a problem with your IdP configuration.

An assertion fails on the notBefore condition

If the IdP clock is ahead of the Jive clock by even a second, the notBefore check fails and you get the message

Assertion is not yet valid, invalidated by condition notBefore ?

This problem can be caused by clock drift on either end, but you can also try addressing it by adjusting the Response Skew setting in the Advanced SSO settings.

username doesn't exist in attribute
If you see the following message:
ERROR org.springframework.security.saml.SAMLProcessingFilter - There was an error during SAML authentication  
java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be null
The attribute with the username does not exist--it may be in the Subject NameID instead, in which case you should make sure the Override Subject NameID for Username checkbox is cleared in the General tab of your SAML settings. Otherwise, you may need to add the username attribute to the SAML message.