Basic SAML Troubleshooting
When troubleshooting SAML configuration or login issues, be sure to enable DEBUG mode for the SAML module. DEBUG mode allows for additional logging and more detailed error messages to be captured in the
zoomdata.log file (located in
) that is useful for troubleshooting purposes. To enable DEBUG mode, enter the following cURL command:
Commonly Reported Issues
Issue #1: Warning Message During IDP Redirection
User sees the following warning message during redirection to the IDP (Identity Provider):
This error is likely being thrown as a result of mistiming between the Zoomdata server and IDP server.
Check that the NTP service is running on both machines. if not - start it and check that time is the same.
Issue #2: Connection Error
User is encountering an error connecting to SAML And notices the following error message in the Zoomdata log files:
2015-09-28 07:25:39,138 DEBUG [o.s.s.s.w.WebSSOProfileImpl] Could not decode artifact response message.
org.opensaml.ws.message.decoder.MessageDecodingException: Could not find any artifact resolution services in metadata.
There is a missing artifact resolution service in the metadata, which is required by Zoomdata.
Add the following property string to the
file (located in
Issue #3: Error Validating SAML Message on Zoomdata Home Page
After following the steps to configure SAML in Zoomdata and successfully connecting to the SAML IDP (e.g. ADFS) login page, the user may still encounter a "Error validating SAML message" error message on the Zoomdata home page after logging in via SAML.
When looking in the zoomdata.log/zoomdata-error.log files, the user might see the following error messages:
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Caused by: java.security.InvalidKeyException: Illegal key size
Encryption better than AES-128 which is not allowed by the default cryptographic jurisdiction policy files that are shipped with the Java JDK.
To address this issue, download the appropriate JCE extension for unlimited strength encryption for your current Java version and install the unlimited strength policy files with the JDK that is shipped with Zoomdata. In order to install this JCE extension, you need to copy the two .jar files contained in the JCE downloaded archive to the /opt/zoomdata/jre/lib/security directory of your Zoomdata server and replace the existing limited JCE files in this location.
Afterward, try following the steps to configure SAML in Zoomdata again and this issue should no longer occur.
Issue #4: Error Validating SAML Message (continued)
User continues to encounter the "Error Validating SAML message" error after entering credentials through their ADFS login page. They also see the following error messages in the zoomdata.log file:
2015-09-29 09:05:08,796 DEBUG [o.s.s.s.SAMLProcessingFilter] Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
The attribute, specified in the "Username Mapping" of Zoomdata's SAML settings (under Security tab logged in as the Supervisor user), is not being sent by ADFS. In this example, the error message indicates that ADFS is not sending the "NameID" attribute.
Configure ADFS to add this attribute by following the below steps (we will continue to use "NameID" attribute in this example):
Add NameID as a "Claim rule name".
Choose "Active Directory" as the Attribute store.
Choose "SAMAccount-Name" as the LDAP attribute and "Name ID" as "Outgoing claim type".
Finish the wizard and confirm the claim rules window.
Verify in the Zoomdata SAML settings, under Security tab when logged in as Supervisor, that this attribute (in this example, NameID) is specified correctly under the "Username Mapping" parameter.
Was this topic helpful?