SSO Troubleshooting
Issue:
Page cannot be displayed on Sso.aspx
Resolution
Make sure there is an SSL binding for the website. SSL is required.
Check that there is an spid in the query string
404 indicates non spid or an invalid spid. This must be the Service Provider Identifier and can be Url encoded.
Issue:
Error processing login request. Invalid Login ID or Password Please Verify and re-enter your login information
Resolution
Using the recommended configuration, where SAML Name ID is mapped to User Principal Name by the IdP, the user name will be compared to User Qualified Name (USER_QUALIFIED) and NT Account Name (USER_SAM). Both must equal the User Principal Name, which should be in the form name@domain
Issue:
User Import doesn’t seem to work
Resolution
User import may fail if the update would result in a duplicate Login ID (USER_ID), User Qualified Name or NT Account Name/Domain
Issue:
Could not load file or assembly 'Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies
Resolution
Add the following to the configuration section of the web.config
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json"
publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
Issue:
SignatureDescription could not be created for the signature algorithm supplied.
Resolution
The secure hash algorithm used for the Relying Party trust is not set to SHA1. ADFS defaults to SHA256, but this is not supported.
Change the hash algorithm to SHA1 on the advanced tab of the Relying Party Trust
Issue:
Assertion Subject does not define a NameID
Resolution
User Principal Name should be mapped to Name ID in the IdP claims configuration
Issue:
I can’t see my signing certificate
Resolution
Digital certificates must
have a private key
must be installed in the local machine certificate store
be accessible to the account running the app pool
Core runs under Network Service by default
The app pool must have full control of the certificate
The friendly name of the certificate should be set to make management easier.
SAML connector should now appear in the list of integration connectors:
Issue:
Page Cannot Be Displayed Error after logging into authentication server:
Resolution
Solution 1:
Check that service provider ID in Core matches the SPID in the endpoint url configured in the relying party on the ADFS server
This:
Should match this:
Solution 2:
If you have created a new self-signed certificate, make sure that the Relying Party properties have been updated by importing the new certificate (and removing the old one).
Export the current certificate:
Import new certificate to the relying party and remove the old one: