Skip to main content

Troubleshoot SAML SSO

Use this information to troubleshoot common SAML SSO configuration and sign-in issues.

Sign in with SSO is not displayed

Cause

SAML SSO is disabled or the SAML configuration was removed.

Resolution

Confirm that SAML SSO is enabled. If needed, reconfigure SAML SSO in Settings > SAML SSO.

SAML SSO is not configured

Symptom

The sign-in attempt returns:

503 SAML SSO is not configured

Cause

The SAML configuration is missing.

Resolution

Reconfigure SAML SSO in Settings > SAML SSO and save the configuration.

Sign-in redirects to the identity provider but returns 401

Cause

SAML assertion validation failed. Common causes include an incorrect signing certificate, incorrect audience value, incorrect ACS URL, or an expired assertion.

Resolution

Confirm the following:

  • The identity provider signing certificate is correct.

  • The identity provider entity ID matches the DigiCert Private CA configuration.

  • The SP Entity ID is configured correctly in the identity provider.

  • The ACS URL is configured correctly in the identity provider.

  • The identity provider and DigiCert Private CA system clocks are synchronized.

SAMLResponse is required

Cause

The identity provider did not post a SAML response to the ACS endpoint.

Resolution

Confirm that the identity provider is configured to send the SAML response to the Private CA ACS URL using HTTP-POST.

Invalid SAMLRequest: Issuer mismatch during logout

Cause

The identity provider entity ID in the logout request does not match the entity ID in the Private CA SAML configuration.

Resolution

Verify that the identity provider entity ID is consistent across the SAML configuration and logout request.

Request has expired during logout

Cause

The NotOnOrAfter value in the logout request is in the past.

Resolution

Check time synchronization between the identity provider and the Private CA.

User is created but has the wrong role

Cause

Role mapping is not configured, or the configured role mapping does not match the SAML assertion.

Resolution

Review the SAML attributes released by your identity provider and confirm that your role-mapping configuration matches the expected attribute values.

If you use group-based role mapping, confirm that the SAML assertion includes the groups attribute.

Expired certificate is rejected

Cause

The identity provider metadata includes an expired signing certificate.

Resolution

Rotate the identity provider signing certificate, download updated identity provider metadata, and upload the updated metadata in the Private CA.