Navigation:  Configuring authentication in a directory service > Authentication in AD FS via SAML 2.0 >

Common types of errors in the authentication via SAML 2.0 with AD FS

 Previous  Top  Next

This section shows possible errors that may appear in the system log file after an error message in integrated authentication via SAML 2.0. For security reasons, some error messages that appear on the login screen are vague or generic, and it is necessary to refer to the application log file for more details of the problem.

 

In the following table, some common mistakes will be presented and how to solve them:

Error

Solution

"Failed to decrypt EncryptedData" at the time of authenticating the user.

Occurs when the Java JDK encryption key limitation rules are limited to 1024 bits. Verify the prerequisite in the Authentication in AD FS via SAML 2.0 section for more details.

"Time Synchronization" when authenticating the user

At the time of processing, SAML messages are limited to a short time interval. This is done to prevent attacks from replicating requests. In this way, both the server that is running SE Suite and the authentication server should have their clocks synchronized. Otherwise, this error will appear in the product log and the login will be aborted.

After synchronization, the user cannot log in to the system

Access the SE Administration component arrowrgray File arrowrgray Organizational unit arrowrgray User (AD004) and verify if the user is not inactive or blocked, and if the user has Department and Access Group configured.

Authentication negotiation cannot access the AD FS server

Test the https://adfsserver/adfs/ls/IdpInitiatedSignOn.aspx link to validate if the user and password recognized by the browser are correct. The link should show the list of ADFS settings for connection.

"PKIX path building failed" when validating the certificate

This concerns issues that occur when validating certificates between agents. The possible causes of this error are:

 

1.The certificate used to sign the requests is not valid: In this case, you must generate a new certificate and execute the procedure for installing the new SE Suite metadata on the authentication server.

2.The SSL certificate used on the SE Suite server is not recognized by the authentication server: You must import the SSL certificate as a trusted certificate on the authentication server.

3.Authentication server certificates are not recognized by SE Suite:

ADFS certificate:

i.Access ADFS, select the 'Certificate' folder and double-click 'Token-signing';

ii.Access the 'Details' tab and click on the 'Copy to File' button;

iii.Export the certificate as Base-64 Encoded X.509;

IIS Certificate of authentication server:

i.Export the certificate as Base-64 Encoded X.509;

ii.Import the certificate on the SE Suite server: keytool -import -trustcacerts -file <path/certificate.cer> -alias <alias> -keystore <path/certificate>.jks

iii.Add the attribute in Tomcat JAVA_OPTIONS: Djavax.net.ssl.trustStore=<path/certificate>.jks