Troubleshooting the SAML SSO issues

Use the following topics to resolve common issues with the SAML SSO.

Error 203: SRVE0295E: Error reported: 203 error when accessing the Admin UI

Solution
  1. Go to the $TOP/etc/default/common.properties file.
  2. Set the value of the enable_referer_check property to false.
  3. Restart the application and ensure that all services are running.

CWPKI0428I: The signer might need to be added to the local trust store error when accessing the Admin UI

Solution
You can use the Retrieve from port in the WebSphere® Application Server administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps.
  1. Log in to the administrative console.
  2. Expand Security and click SSL certificate and key management.
  3. Under the Configuration settings, click Manage endpoint security configurations.
  4. Select the appropriate outbound configuration to get to the (cell):<CELL>:(node):<NODE> management scope.
  5. Under the Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
  6. Under the Additional Properties, click Signer certificates and Retrieve From Port.
  7. Enter the host name, port, and alias.
  8. Click Retrieve Signer Information and verify the certificate information.
  9. Click Apply and Save.

On IdP session expiry with Windows authentication enabled for SAML, Admin UI and Persona-based UI do not load after refreshing browser.

Solution
  1. Close the browser.
  2. Open the browser and access the Admin UI or Persona-based UIs. Confirm that you can now log in to both the interfaces.

Admin UI or Persona-based UI login screen is displayed

Cause
The Login page can be displayed due to multiple reasons. The URL used for accessing the application do not match the pattern that is given in the SAML SSO configuration.
Admin UI URL - https://<hostname>:<port>/
Persona-based UI - https://<hostname>:<port>/mdm_ui/#/login
Solution
  • Session has expired, refresh the URL in the browser to log in again.
  • You can also increase the session timeout for the application.
  • The SAML authentication has failed, check your SAML configuration.
  • Enable following loggers to trace the issue.
    1. Enable the Login.wpcs logger.
      To enable logger, you must add a logger and appender for this LDAP logger in the $TOP/etc/default/log4j2.xml file. In the Login.wpcs script, the default logger is ldap.
      For example,
      Definition Script
      Category definition 
      <Logger name="com.ibm.ccd.wpc_user_scripting.ldap" level="info" additivity="false">
<AppenderRef ref="LDAPLOGGER" />
</Logger>
      Appender definition 
      <RollingFile name="LDAPLOGGER" fileName="%LOG_DIR%/${svc_name}/ldap.log" append="true" 
filePattern="%LOG_DIR%/${svc_name}/ldap-%d{MM-dd-yyyy}-%i.log">
<PatternLayout>
<Pattern>%d [%t] %-5p %c %x- %m%n</Pattern> </PatternLayout> <Policies> <TimeBasedTriggeringPolicy /> 
<SizeBasedTriggeringPolicy size="10 MB" /> </Policies> <DefaultRolloverStrategy max="2" /> </RollingFile>
    2. Enable SSO request filter logger.
      To enable debug logger, you must set level=debug in the $TOP/etc/default/log4j2.xml file for the following logger.
      <Logger name="com.ibm.ccd.ui.sso.filters" level="debug" additivity="false">
			<AppenderRef ref="SERVLET_FILTERS" />
		</Logger>
    3. Check the ipm.log file for SAML attributes and roles that are assigned to the user.

HTTP error message

Symptoms
On accessing the Admin UI or Persona-based UI, you get "HTTP Error 403 – Forbidden" error.
Cause
The error indicates that the SAML token has expired.
Solution
  • Refresh the URL in the browser and SAML login should work.
  • Increase the SAML token expiry on your SSO Partner.
Note: For information on troubleshooting SAML SSO - WebSphere Application Server issues, see Web Single Sign-on problems with WebSphere Application Server.