Troubleshooting
Problem
When setting up SAML for Console you might run into issues including:
- SAML response Error. Please check the logs.
- Invalid SAML Response.
- The requested SAML provider does not exist.
- The SAML user must have an email address.
- The page you were looking for doesn't exist.
- Or other SAML-related errors.
Console typically provides a clear message about what the failure was in red text on the login page, but some require a deeper look into the logs or SAML response itself. First, refer to the documentation for the appropriate setup steps: https://downloads.asperasoft.com/en/documentation/3
Cause
In order for SAML to function during login, the response from the IdP must match what Console is expecting. The documentation describes what these conditions are such as NameID, Entity ID, Callback URL, Binding, and Attribute mapping.
If there is an unexpected value or one does not map correctly, the request is denied and you receive an error message. The error depends on what type of issue you have.
- The SAML user must have X
- Incorrect Attribute Mapping for value X. - Invalid SAML Response. Check your SAML Configuration.
- IdP/Console clocks are too far apart, or signature/certificate is invalid. - X is not a valid audience for this Response
- Entity ID/metadata URL is incorrect. - The page you were looking for doesn't exist.
- Incorrect ACS/Callback URL - or other issue with how the call to Console is being made.
- config/console.yml file missing IdP URL in AcceptedHosts line
Diagnosing The Problem
Check the Console production logs for the SAML response that Console received. Error messages are displayed in red on the login page.
Windows: C:\Program Files\Console\log\production.300X.log - Sort by last modified.
Linux: /opt/aspera/console/log/production.300X.log - Check for latest two production logs and look at the end of the files:
Within the logs there are a few entries for SAML. Check for one that displays the error you received, or an error with a clear message(if there is no SAML message in this log, check the next latest production log):
Example of date/time issue:
If you don't have easy access to the log files, SAML-tracer is a great extension.
Available for Firefox(https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) and Chrome(https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en)
Once installed, open SAML-tracer from your Browser extensions bar, then attempt to log in to Console with SAML.
SAML-tracer creates a listing of the SAML response, identified by 'SAML' on the right. Specifically, we are looking for the one with the 'callback' URL:
Here you find the entire SAML response sent from the IdP. If the issue is with attributes, check their values. If the issue is with 'Audience' or something else, verify that information is as expected from the IdP.
Resolving The Problem
Resolution depends on which issue you are experiencing, but typically are clear from the error message.
If there is an issue with any of the fields in the response, adjusting those values in the IdP should clear the error.
If the error is regarding the date/time values being far apart - install and enable NTPD on the server.
If the logs show 'Invalid Signature on SAML Response' - Suggests the certificate or fingerprint used in the configuration does not match that of the IdP. Either regenerate the fingerprint, or check that the cert doesn't include hidden characters that can cause an issue.
If you receive 'The page you were looking for doesn't exist' check /opt/aspera/console/config/console.yml and add the IdP URL to the AcceptedHosts line.
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSGPXC","label":"IBM Aspera Console"},"Component":"","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
01 June 2020
UID
ibm15690391