Skip to Content

Error while logging with saml credentials

Error while trying to login using SAML credentials.


Overview: This article describes troubleshooting steps for common SAML login errors including invalid_response due to incorrect signing certificates, issues with Entity ID mismatches, and timestamp validation errors.

Step 1: Correct Signing Certificate

  • If you encounter the following errors, ensure the correct signing certificate is provided under Settings > SAML > Signing Certificate. Ensure characters are accurately copied without omissions:
Error Message: invalid_response
Details:       Unable to extract public key
Request ID:    ONELOGIN_7a4bb336c24aa25e8d8e022a65b08ec9730f2ccd
Status:        Not authenticated 
Error Message: Saml response not received
Issue:         Signature verification failed
Request ID:    ONELOGIN_7a4bb336c24aa25e8d8e022a65b08ec9730f2ccd 
Step 2: Verify Entity ID
  • If you encounter errors related to incorrect Entity ID, verify and correct it under Settings > SAML > Entity ID to match expected values:
invalid_response
Invalid issuer in the Assertion/Response (expected ' http://www.okta.com/exk1218683FMeODwH ', got ' http://www.okta.com/exk1218683FMeODwH4x7 ')
Request ID: ONELOGIN_eb76a22385d99ff9d91d0596127d308b511de7ca
Not authenticated
Step 3: Check Server Time
  • Ensure server time is accurate to resolve timestamp validation issues causing the following error:

invalid_response

Could not validate timestamp: not yet valid. Check system clock.

Request ID: ONELOGIN_470f247589c4d84fc203d642d825d65e0e0bcabe

Not authenticated

These steps help diagnose and resolve common SAML login errors, ensuring smooth authentication processes.

Step 4: Check the application log

If you encounter the following error, check the application logs

 SAML Response not found, Only supported HTTP_POST Binding

To check the log, navigate to the log directory and review the latest log file.

root@gateway:~# cd $(awk '/^system_folder/ {print $2}' /usr/local/etc/ezlogin/ez.conf)/application/logs/

                                                 or

root@gateway:~# ( cd $(awk '/^system_folder/ {print $2}' /usr/local/etc/ezlogin/ez.conf)/application/logs/ && tail -f $(ls -t log-*.php | head -n 1) )

Also ensure that the ACS endpoint is accessible from the client’s browser and does not point to an internal IP address unless the user is connected through a VPN. When the client browser on the user’s desktop or laptop is redirected to the SSO endpoint, the SAML endpoint must be reachable either publicly or via VPN.

Related Articles: