Testing Configuration:
- Once you’ve confirmed metadata has been exchanged between FileBound and your Identity Provider, click the ‘Test Configuration’ button.
- To try this manually us this url: <fileboundurl>/saml/SingleSignOn?forceNew=true
- This will clear your current session, force the web server to pull latest settings from the database, and direct you to the SSO login path.
- Also helpful if you made a significant setting change during business hours. Provide this to your users to avoid caching issues.
- If you see an error, and your browser shows the URL to your Identity Provider, check Identity Provider logs
- If you see an error, and your browser shows the URL to FileBound, check FileBound error log (more on common errors below)
Once you’ve configured and had multiple users successfully test Single Sign-On, you are ready to check ‘Enable SAML Single Sign-On’.
Now any user navigating to <sitename>.filebound.com will be redirected to your Identity Provider Sign-On page.
Common Errors in the FileBound Error Log:
Most SAML errors look like this:
Message: Saml Setup Error
Exception: ComponentSpace.SAML2.ExceptionsError Examples:
- SAMLErrorStatusException: An error SAML response status was received.
- Identity Provider responded with an Error, sometimes that error will be detailed here, usually you need to check the Identity Provider logs
- SAMLProtocolException: The audience restriction http://www.youMessedUp.com doesn't match the expected audience restriction https://correct.filebound.com/
- Check that the EntityID/Audience set in FileBound matches what was entered in the Identity Provider for Service Provider Entity ID or Audience
- SAMLSignatureException: The SAML assertion signature failed to verify.
- Make sure public keys match. Usually you can compare the X509 in the Response to the Public Key stored for the Identity Provider in FileBound
- Make sure SHA-1 is being used by the Identity Provider
- SAMLSignatureException: The SAML response isn't signed.
- Make sure the Identity Provider is configured to sign the response. Or uncheck FileBound ‘want signed’ settings. Could be the Identity Provider is only signing Assertions which is usually acceptable.
- SAMLProtocolException: The SAML assertion is outside the valid time period.
- Each message has rules about how quickly it must be processed after it was sent for security purposes.
- FileBound is a minute or so
- This could indicate a server’s clock is off.
- SAMLBindingException: The message is not an HTTP POST.
- Correct the binding setting on the Identity Provider
- SAMLProtocolException: There is no SSO session to partner http://adfs.org/adfs/services/trust to logout.
- Single Logout will often cause this
- User should still be logged out of FileBound as expected, check Identity Provider logout configuration
- SAMLConfigurationException: A SAML configuration ID must be specified.
- Single Logout will often cause this
- User should still be logged out of FileBound as expected, check Identity Provider logout configuration
Advanced Troubleshooting via SAML Trace:
You can capture the SAML messages being sent by the browser with this extension. Can be helpful if nothing else is working. Will only be helpful if you understand SAML protocol.
SAML Trace for Firefox: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
There are extensions for Chrome too but above one is much nicer.