SSO Troubleshooting

Issue:

Page cannot be displayed on Sso.aspx

Resolution

Make sure there is an SSL binding for the website. SSL is required.

Check that there is an spid in the query string

404 indicates non spid or an invalid spid. This must be the Service Provider Identifier and can be Url encoded.

Issue:

Error processing login request. Invalid Login ID or Password Please Verify and re-enter your login information

Resolution

Using the recommended configuration, where SAML Name ID is mapped to User Principal Name by the IdP, the user name will be compared to User Qualified Name (USER_QUALIFIED) and NT Account Name (USER_SAM). Both must equal the User Principal Name, which should be in the form name@domain

Issue:

User Import doesn’t seem to work

Resolution

User import may fail if the update would result in a duplicate Login ID (USER_ID), User Qualified Name or NT Account Name/Domain

Issue:

Could not load file or assembly 'Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies

Resolution

Add the following to the configuration section of the web.config

<runtime>

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">

<dependentAssembly>

<assemblyIdentity name="Newtonsoft.Json"

publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>

<bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0"/>

</dependentAssembly>

</assemblyBinding>

</runtime>

Issue:

SignatureDescription could not be created for the signature algorithm supplied.

Resolution

The secure hash algorithm used for the Relying Party trust is not set to SHA1. ADFS defaults to SHA256, but this is not supported.

Change the hash algorithm to SHA1 on the advanced tab of the Relying Party Trust

Issue:

Assertion Subject does not define a NameID

Resolution

User Principal Name should be mapped to Name ID in the IdP claims configuration

Issue:

I can’t see my signing certificate

Resolution

Digital certificates must

• have a private key

• must be installed in the local machine certificate store

• be accessible to the account running the app pool

Core runs under Network Service by default

The app pool must have full control of the certificate

The friendly name of the certificate should be set to make management easier.

SAML connector should now appear in the list of integration connectors:

Issue:

Page Cannot Be Displayed Error after logging into authentication server:

Resolution

Solution 1:

Check that service provider ID in Core matches the SPID in the endpoint url configured in the relying party on the ADFS server

This:

Should match this:

Solution 2:

If you have created a new self-signed certificate, make sure that the Relying Party properties have been updated by importing the new certificate (and removing the old one).

Export the current certificate:

Import new certificate to the relying party and remove the old one: