Document toolboxDocument toolbox

Common SAML 2.0 Federation Issues and Debugging

Owned by Shirly Tsang
Last updated: Sept 06, 2024 by Gary Leicht
2 min read

While setting up your SAML2.0 application, you might encounter issues with your user's login. The following are some common issues you can verify in your configuration process.

Incorrect Configuration

When a value was copied incorrectly, It can lead to incorrect configuration. To address this issue, you can double check the federation values, both in your IdP's SAML configuration and in the SSO Portal. You can also validate them in the SAML response your IdP returns to Infoblox. You can see these requests/responses in the developer network tools of your browser when a user attempts to log in to the Infoblox Portal.
Check the SAML authentication response, if possible, to validate the following configuration:

  • Audience URI -  this affects the SAML request. If this was misconfigured, it can prevent your IdP from handling authentication requests.
  • HUB ACS URL - this affects the SAML response. If this was misconfigured, your IdP login will flow into a non-existent page.
  • IDP Issuer URI - this affects the SAML response. If this was misconfigured, it can prevent Infoblox from processing authentication responses.
  • IDP Single Sign-On URL - this affects the SAML request. If your IdP login page is not showing, this was likely misconfigured.

Users Not assigned to the SAML Application in the IdP

If you receive the following error messages: "unauthorized/permission denied," "user is not assigned that application," or similar messages, your users are not assigned to the SAML application in your IdP. 

To address this issue, verify that your users are assigned the SAML application in your IdP, so they can be authenticated via the SAML application. 

IdP Group Mapping Issues

When you enable IdP Group Mapping, only users that are members of your specified IdP groups are allowed to be added to the Infoblox Portal. If your IdP group mapping is set up but does not include your IdP's groups as an attribute in the SAML response, your users will not be able to access the Infoblox Portal.

Note

If users existed in the Infoblox Portal before the SAML 2.0 federation, the IdP Group Mapping will not change the groups to which they belonged in the Infoblox Portal. The users will be able to sign in normally. However, if the users did not exist in the Infoblox Portal before the federation, configuring IdP Group Mapping is the only way to connect the IdP users to your Infoblox Portal account, Hence, if your IdP users are not part of any IdP groups in your IdP Group Mapping, they will not have access to the Infoblox Portal.

You can check your IdP's SAML authentication response, if possible, to validate the presence of this element: <saml:Attribute Name="groups">, which contains the desired groups listed within the element