Troubleshoot SAML SSO
Use this information to troubleshoot common SAML SSO configuration and sign-in issues.
Sign in with SSO is not displayed
Cause
SAML SSO is disabled or the SAML configuration was removed.
Resolution
Confirm that SAML SSO is enabled. If needed, reconfigure SAML SSO in Settings > SAML SSO.
SAML SSO is not configured
Symptom
The sign-in attempt returns:
503 SAML SSO is not configured
Cause
The SAML configuration is missing.
Resolution
Reconfigure SAML SSO in Settings > SAML SSO and save the configuration.
Sign-in redirects to the identity provider but returns 401
Cause
SAML assertion validation failed. Common causes include an incorrect signing certificate, incorrect audience value, incorrect ACS URL, or an expired assertion.
Resolution
Confirm the following:
The identity provider signing certificate is correct.
The identity provider entity ID matches the DigiCert Private CA configuration.
The SP Entity ID is configured correctly in the identity provider.
The ACS URL is configured correctly in the identity provider.
The identity provider and DigiCert Private CA system clocks are synchronized.
SAMLResponse is required
Cause
The identity provider did not post a SAML response to the ACS endpoint.
Resolution
Confirm that the identity provider is configured to send the SAML response to the Private CA ACS URL using HTTP-POST.
Invalid SAMLRequest: Issuer mismatch during logout
Cause
The identity provider entity ID in the logout request does not match the entity ID in the Private CA SAML configuration.
Resolution
Verify that the identity provider entity ID is consistent across the SAML configuration and logout request.
Request has expired during logout
Cause
The NotOnOrAfter value in the logout request is in the past.
Resolution
Check time synchronization between the identity provider and the Private CA.
User is created but has the wrong role
Cause
Role mapping is not configured, or the configured role mapping does not match the SAML assertion.
Resolution
Review the SAML attributes released by your identity provider and confirm that your role-mapping configuration matches the expected attribute values.
If you use group-based role mapping, confirm that the SAML assertion includes the groups attribute.
Expired certificate is rejected
Cause
The identity provider metadata includes an expired signing certificate.
Resolution
Rotate the identity provider signing certificate, download updated identity provider metadata, and upload the updated metadata in the Private CA.