Skip to main content

Troubleshoot SAML errors

Most SAML errors are due to misconfiguration of the SAML Service Providers (SP) or the SAML Identity Provider (IdP). Ensure all SAML configuration settings match between your DigiCert​​®​​ Trust Lifecycle Manager profile and your SAML IdP.

You can troubleshoot errors with SAML enrollment requests by checking the audit log messages under Reporting & Auditing > Audit logs menu within the DigiCert​​®​​ Trust Lifecycle Manager application and paying attention to log entries with a FAILURE status.

Inspect SAML traffic via browser extension

Browser extensions can aid with troubleshooting by allowing you to clearly see SAML requests and responses, for example the SAML DevTools extension for Chromium-based browsers (Chrome and Edge).

The SAML extension is visible when running the browser in Inspect mode. Use the SAML extension panel to ensure that SAML enrollments are sent.

Audit logs

Troubleshoot errors with SAML enrollment requests by checking audit log messages.

To troubleshoot SAM enrollment request errors:

  1. In DigiCert​​®​​ Trust Lifecycle Manager, navigate to Reporting & Auditing > Audit logs.

  2. Look for log entries with a FAILURE status.

Commonly encountered SAML error messages follow:

Example SAML errors

Resolution

Could not validate timestamp: expired. Check system clock

Make sure that your IdP solution uses NTP so that digitally signed SAML Assertions can be validated successfully.

Profile with ID=xxxxxxxx-xxxx-xxxxxxxxxxxxxx does not exist

Check your SAML IdP configuration and make sure the correct Profile ID is configured.

Invalid issuer in the Assertion/Response

Check your SAML settings within the profile and make sure the correct IdP issuer value is configured.

Wrong SAML profile configuration (Invalid settings: idp_cert_or_fingerprint_not_found_and_required)

Check your SAML settings within the profile and make sure that the correct SAML IdP certificate value is configured.

Signature validation failed. SAML Response rejected; invalid_response

Cannot decrypt SAML Response: invalid SP certificate used for encryption?

Check the SP’s certificate that you uploaded in IdP settings when you enabled the SAML Response encryption.