# SSO Troubleshooting


Issue:	Page cannot be displayed on Sso.aspx
Resolution	Make sure there is an SSL binding for the website. SSL is required. Check that there is an spid in the query string 404 indicates non spid or an invalid spid. This must be the Service Provider Identifier and can be Url encoded.

Issue:

Page cannot be displayed on Sso.aspx

Resolution

Make sure there is an SSL binding for the website. SSL is required.

Check that there is an spid in the query string

404 indicates non spid or an invalid spid. This must be the Service Provider Identifier and can be Url encoded.


Issue:	Error processing login request. Invalid Login ID or Password Please Verify and re-enter your login information
Resolution	Using the recommended configuration, where SAML Name ID is mapped to User Principal Name by the IdP, the user name will be compared to User Qualified Name (USER_QUALIFIED) and NT Account Name (USER_SAM). Both must equal the User Principal Name, which should be in the form name@domain


Issue:	User Import doesn’t seem to work
Resolution	User import may fail if the update would result in a duplicate Login ID (USER_ID), User Qualified Name or NT Account Name/Domain


Issue:	Could not load file or assembly 'Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies
Resolution	Add the following to the configuration section of the web.config <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/> <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0"/> </dependentAssembly> </assemblyBinding> </runtime>

Issue:

Could not load file or assembly 'Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies

Resolution

Add the following to the configuration section of the web.config

<assemblyIdentity name="Newtonsoft.Json"

publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>

</dependentAssembly>

</assemblyBinding>

</runtime>


Issue:	SignatureDescription could not be created for the signature algorithm supplied.
Resolution	The secure hash algorithm used for the Relying Party trust is not set to SHA1. ADFS defaults to SHA256, but this is not supported. Change the hash algorithm to SHA1 on the advanced tab of the Relying Party Trust

Issue:

SignatureDescription could not be created for the signature algorithm supplied.

Resolution

The secure hash algorithm used for the Relying Party trust is not set to SHA1. ADFS defaults to SHA256, but this is not supported.

Change the hash algorithm to SHA1 on the advanced tab of the Relying Party Trust


Issue:	Assertion Subject does not define a NameID
Resolution	User Principal Name should be mapped to Name ID in the IdP claims configuration


Issue:	I can’t see my signing certificate
Resolution	Digital certificates must have a private key must be installed in the local machine certificate store be accessible to the account running the app pool Core runs under Network Service by default The app pool must have full control of the certificate The friendly name of the certificate should be set to make management easier. SAML connector should now appear in the list of integration connectors:

Issue:

I can’t see my signing certificate

Resolution

Digital certificates must

have a private key
must be installed in the local machine certificate store
be accessible to the account running the app pool

Core runs under Network Service by default

The app pool must have full control of the certificate

The friendly name of the certificate should be set to make management easier.

SAML connector should now appear in the list of integration connectors:


Issue:	Page Cannot Be Displayed Error after logging into authentication server:
Resolution	Solution 1: Check that service provider ID in Core matches the SPID in the endpoint url configured in the relying party on the ADFS server This: Should match this: Solution 2: If you have created a new self-signed certificate, make sure that the Relying Party properties have been updated by importing the new certificate (and removing the old one). Export the current certificate: Import new certificate to the relying party and remove the old one:

Issue:

Page Cannot Be Displayed Error after logging into authentication server:

Resolution

Solution 1:

Check that service provider ID in Core matches the SPID in the endpoint url configured in the relying party on the ADFS server

This:

Should match this:

Solution 2:

If you have created a new self-signed certificate, make sure that the Relying Party properties have been updated by importing the new certificate (and removing the old one).

Export the current certificate:

Import new certificate to the relying party and remove the old one:

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.alemba.com/asm/asm-hermes/integrate/managing-integration/single-sign-on-using-saml/sso-troubleshooting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.