This document describes how to troubleshoot the SAML single sign on process.
Using the SAML Devtools Extension for Chrome
SAML single sign on requires that the SAML Identity Provider sends the client browser a SAML assertion with these user attributes:
If any of these values is missing, the CentreStack server will typically reply with this message in the browser:
user name is missing from the response body
In order to troubleshoot SAML errors it is necessary to examine the SAML assertion provided by the identity provider. Follow this process to install the SAML Devtools Extension for Google Chrome:
- Start Chrome on the client and navigate to: https://chrome.google.com/webstore/category/extensions?hl=en-US
- In the search box type: saml devtools extension:
- For the extension offered by stefan.rasmusson.as click the Add to Chrome button:
- Click the Add Extension in the next dialog.
- The SAML extension will be displayed in Chrome:
- To use the tool, press F12 to display Chrome's developer tools, the click the SAML tab, then click the Show only SAML option:
- In the address bar, navigate to the Relying Party Initiated Sign On URL, which will be in the format https://<centrestack_fqdn>/portal/LoginPage.aspx?sso=<tenant_id> for example: https://cstackjjr.hadroncloud.com/portal/LoginPage.aspx?sso=y6oL0772
- Click on the last POST in the middle pane to view the SAML assertion. Click on the SAML tab to view the XML data:
- The most important part of the XML data is the Attributes in the assertion. This is usually where problems happen because CentreStack requires the name, givenname and surname attributes similar to what is seen here: