|Configuring Community / Setting Up Single Sign-On|
Running SSO in debug mode will help you troubleshoot your integration.
In the following sample error message, the name of the attribute configured for the user's email address was named email, but that doesn't exist in the saml message. In this example, MAIL is the name of the correct attribute.
com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identify provider. Missing attribute: email. Given attributes: [MAIL, title, companyname, FIRSTNAME, LASTNAME]
If you see a message like this:
com.jivesoftware.community.aaa.sso.SSOAuthenticationException: User did not have the required attributes send from the identify provider. Missing attribute: .
Jive is trying to sync a single name as Firstname and Lastname. To work around this problem, set the system property saml.nameField to the same attribute the first name is populated from.
You may discover that the certificates in the metadata for each node are different: Jive metadata won't be the same on each node and so authentication will succeed on some nodes and fail on others. To verify that the same key is being used on each node, go directly to the path /saml/metadata for each node. This problem occurs when Storage Provider file system caching is enabled. To disable it, go to Edit. Then select No under Cache Enabled.and click
If you get any status message in this format:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/> <samlp:StatusMessage>something_is_wrong</samlp:StatusMessage> </samlp:Status>
this indicates a problem with your IdP configuration.
If the IdP clock is ahead of the Jive clock by even a second, the notBefore check fails and you get the message
Assertion is not yet valid, invalidated by condition notBefore ?
This problem can be caused by clock drift on either end, but you can also try addressing it by adjusting the Response Skew setting in the General SSO settings.
ERROR org.springframework.security.saml.SAMLProcessingFilter - There was an error during SAML authentication java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be nullThe attribute with the username does not exist—it may be in the Subject NameID instead, in which case you should make sure the Override Subject NameID for Username checkbox is cleared in the General tab of your SAML settings. Otherwise, you may need to add the username attribute to the SAML message.