Logo Knowledge
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  1. Acquia Support Knowledge Base
  2. Troubleshooting
  3. Common Problem

Troubleshooting SimpleSAML

    See more
    • Updated
    • December 17, 2018 12:05

    Issue

    SimpleSAML installation and usage can be tricky, and when set up incorrectly it can cause a number of problems.

    Resolution

    The first step in troubleshooting is to turn on debugging. Edit the config.php file and set debug to TRUE then set logging.level to LOG_DEBUG. The logs will be written to /mnt/tmp/.

    The php-errors.log in the normal log location may be helpful too if there is a misconfiguration or typo in any of the config files that is causing a php error.

    Often, you can look in the kvstore table to figure out what SimpleSAMLphp has actually done with the request it’s parsed out, and that’s always stored in there. Be sure to check the SAMLSession cookie, because you’ll need it to check in the kvstore table.

    Working with Error Messages

    SAML can present a number of errors, with different causes and solutions.

    • StatusCode - urn:oasis:names:tc:SAML:2.0:status:Requester

      This usually means that there is a configuration problem on the SP’s part, but the IdP isn’t providing any more information as part of that request. Ask the IdP for their logs regarding the request so you can start to determine what is misconfigured.

    • Missing Attributes

      Sometimes, the IdP won’t send back the attributes required to identify the user. This is usually caused by a misconfiguration on the IdP side of things. Typically this will present itself as a 500 error a record in watchdog.

      The SAMLSession cookie will be present in an authenticated user’s session, which you can then use to go look up the session information in SimplesSAMLphp’s kvstore table. Once you deserialize it, you can go look to see if the attributes are in there. If not, you’ll need to discuss with the IdP to determine why they aren’t sending them.

    • Attributes with a missing FriendlyName parameter

      This could be the case when there are attributes coming, but they don’t have the FriendlyName parameter. You can determine this in the same way you'd figure out if another parameter was missing (see previous bullet.) To fix this, configure the Simplesamlphp_Auth module’s configuration settings to be the absolute name of the parameter, which is a urn that should never change.

    • Page caching breaks custom login flow

      You can see this if you're using IdP initiated SSO, and expecting any page to pick up the SAML login flow. Basically, SimpleSAMLphp_auth uses hook_init to do a lot of set up work (this needs to change), and if Drupal page cache is enabled it won’t work.

    • The Certificate File could not be loaded

      When you see an error like this, the configuration is usually in the wrong file, or the config variable is pointing to the wrong file. There is also the possibility that redirect.sign is not set and the IdP is expecting a signed request or it’s sending back a signed request.

    Acquia Products

    • Acquia Cloud Enterprise

    Topics

    • auth
    • saml

    Drupal Projects

    • simplesamlphp_auth
    Avatar
    Blake Scott
    • December 17, 2018 12:05
    • Updated
    • Facebook
    • Twitter
    • LinkedIn
    • Google+

    Was this article helpful?
    1 out of 4 found this helpful
    Have more questions? Submit a request

    Return to top

    Related articles

    • Older SimpleSAMLphp configurations do not account for on-demand environments
    • Errors in the PHP log
    • Using Let's Encrypt SSL on Acquia Cloud
    • Using Solr Devel module to debug Acquia Search indexing and queries
    • Adding flexibility to your server structure using symlinks

    Support

    Acquia Support Knowledge Base
    • Submit a Request
    • Contact Support
    • Acquia Support Guide
    • Product Documentation
    • System Status

    About Acquia

    • About Us
    • Leadership
    • Board of directors
    • Newsroom
    • Careers
    • Customers
    • Contact Us
    53 State Street, 10th Floor
    Boston, MA 02109
    United States
    Phone: 888-922-7842
    Map: Google Maps
    View other locations
    • Feeds
    • Legal
    • Security Issue?

    Copyright © 2018 Acquia Inc. All Rights Reserved. Drupal is a registered trademark of Dries Buytaert.