SSO Troubleshooting
- 1 Debugging SAML Request
- 2 User Unknown
- 3 Login Screen Instead of SSO Login
- 4 PFX Classic Instead of Unity After SSO Authorization
- 5 Error on AuthnContext
- 6 Authentication method 'X509, WindowsIntegrated' doesn't match requested authentication method 'Password, ProtectedTransport'
- 7 Could not parse certificate: java.io.IOException
- 8 Signature validation failed. SAML Response rejected.
- 9 AADSTS700016: Application with identifier 'xxx' was not found in the directory 'xxx'
- 10 NO SAMLResponse parameter
- 11 Invalid SAML response received
- 12 SAMLRequest contains a list of default “AuthNContext” entries
Debugging SAML Request
Go to the signon URL and grab it once you land on the IdP page.
Copy the SAMLRequest parameter value.
Use one of the conversion tools, e.g., https://www.samltool.com/online_tools.php and perform these steps:
URL decode
Base64 decode & Inflate
Then you get the SAML Request as an XML where you can check the ACS URL and entityID (SAML Issuer). This URL is something the IdP must recognize in order for SSO to work.
As an easier alternative, you can use a browser plugin (e.g., SAML-tracer or any other) which does the same in one step.
User Unknown
If you get the following response in your browser:
{"error":"User unknown: firstname.surname@somecompany.com"}it means that the user authentication worked for the identity provider but it was not possible to find the user in the Pricefx partition.
Make sure that:
The user exists in the partition.
You access the right partition.
The NameID Mapping attribute is set correctly (email or loginName) in the SAML configuration.
To prevent such cases, you can make use of the Auto-Provisioning functionality.
Login Screen Instead of SSO Login
If you see the common login screen instead of the SSO login screen, check the Pricefx SAML Configuration and make sure the RelayState parameter contains a valid partition parameter. When it has a different value than the partition you want to log into, your server returns "unauthorized" in the REST call.
RelayState: /app/?partition=customer-qa&confName=crm_config_customer-qa&applicationEnvironment=salesforce
PFX Classic Instead of Unity After SSO Authorization
If you see the Pricefx Classic UI instead of Unity UI after the SSO authorization, check whether the RelayState parameter really exists. In Classic there is a fallback when the SAML service does not find the RelayState specified in the SAML request.
If the login URL is: https://customer.pricefx.eu/pricefx/sonaeauraco/saml/login/UNITY/?RelayState=QuoteConfigurator
it means that in Pricefx SAML there must be the configuration "UNITY" with the RelayState "QuoteConfigurator".
Error on AuthnContext
If you get an error during the login complaining about AuthnContext, for example "AADSTS9002: One AuthnContextClassRef or AuthnContextDeclRef entry is expected in RequestedAuthnContext", add the following line in Administration > Configuration > Advanced Configuration Options > samlConfiguration in the configuration (typically named DEFAULT):
"authnContexts": [
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
],Authentication method 'X509, WindowsIntegrated' doesn't match requested authentication method 'Password, ProtectedTransport'
If you get an error "AADSTS75011: Authentication method 'WindowsIntegrated' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the PriceFx application owner.", add the following line in Administration > Configuration > Advanced Configuration Options > samlConfiguration in the configuration (typically named DEFAULT):
"authnContexts": [
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
],Could not parse certificate: java.io.IOException
The certificate copy-pasted in the text field does not have the right structure (e.g., has some extra character copied, missing Start/End tags, incorrect line breaks).
Note that this message also means the authentication itself was successful; the issue was found further down the path.
Signature validation failed. SAML Response rejected.
The certificate set in the configuration is not the correct one. For example, Microsoft is regularly changing their certificates in Azure. Or the certificate may have expired.
If you want to check the certificate validity on your own, you can use some of the online SSL certificates decoders, such as SSL Checker or SSL Shopper.
AADSTS700016: Application with identifier 'xxx' was not found in the directory 'xxx'
This means that the EntityID is unknown on IdP side. Make sure that the setup has been done correctly at IdP. It could be just a matter of the trailing slash. Pricefx always includes it – unless set otherwise.
To have the trailing slash removed, go to Advanced Configuration Options and adjust 'samlConfiguration' by adding the following line:
NO SAMLResponse parameter
If you get this error,
check the URL and make sure you use a valid partition name in the URL.
Invalid SAML response received
This message indicates that the mapping at the IdP side is not correct and it does not send a NameID. Then it is not clear for which user this request is.
SAMLRequest contains a list of default “AuthNContext” entries
Sometimes IdP insists on a certain order or certain values or both. This can be adjusted via advanced SAML configuration (not via UI).
Found an issue in documentation? Write to us.
Pricefx version 12.0