Troubleshooting SAML SSO Configurations
The following messages display to the user when there is a login error:
| Error Message | Suggestion |
|---|---|
| You are not authorized to access this application. Contact your MAPS Administrator if you believe you received this message in error. | The SAML response from the IdP did not include all the expected data needed for authorization. Check the user’s group membership in MAPS. The user must be a member of at least one group. Also, at least one role must be assigned to each group, otherwise the user will not have access to any features in MAPS. |
Note: If the Synchronize SAML users with local MAPS users check box is checked on the Edit Single Sign-On Server dialog, then users will not be required to be a part of a group in order to authenticate. Users will still need to be added individually in MAPS if they are not a member of a group in order to match the SAML NameID with the user name in MAPS. Most of the information of this page is relevant to users who leave the check box unchecked.
If problems continue, enable debug mode (use the MAPS Config Logging options) and replicate the issue. Additional information will be recorded in the log file.
MAPS Log File Messages (for Administrators)
The following messages may appear in the log file when debug is enabled:
SAML response received
MAPS received a response from the SAML IdP server.
Member of LDAP group "<example group>" [CN=<example group,OU=Groups,DC=Example,DC=Local]
Member of MAPS group "<example group>"
The IdP returns the list of known LDAP and/or MAPS groups that the user belongs to (shown as <example group> in the message.
Not a member of any known groups
The user is not a member of any known groups.
• View the assertion and verify group(s) are in the memberOf attribute. MAPS searches for FriendlyName=”memberOf”.
• Make sure the group(s) in the assertion are added to MAPS.
Unable to validate issuer SSO NAME from the SAML response.
The IdP server is not known to MAPS. Make sure the EntityId from the IdP metadata matches with the Issuer from the SAML response.
<Single Sign-On Name>: Could not read Metadata. <IdP metadata URL>
The IdP metadata URL is not valid. Check the URL in the MAPS Config settings.