Outdated Version

You are viewing an older version of this section. View current production version.

Troubleshooting SAML Authentication min read


Info

This topic does not apply to MemSQL Helios.

You may encounter problems with the SAML 2.0 authentication feature during initial configuration, user creation, or authentication. This section provides troubleshooting information for common error scenarios, which can be organized into two categories:

  • SAML assertion errors
  • Encryption or signing errors

SAML Assertion Errors

You may encounter errors if your SAML response isn’t properly formed, or if there is a configuration mismatch between the memsql.cnf file and the expected elements in a SAML Assertion. These errors include:

  • The SAML Assertion did not have a valid saml_user_name_attribute Attribute
  • The SAML Response did not have any Assertions
  • Assertion is no longer valid
  • Assertion is not yet valid
  • Assertion contains an unacceptable AudienceRestriction

The SAML Assertion did not have a valid saml_user_name_attribute Attribute

This error is often caused by a configuration mismatch. Ensure that your saml_user_name_attribute in the memsql.cnf file has been properly configured to identify the correct username AttributeStatement found in your identity provider’s SAML response.

Consider the following example, which will cause an error:

...
saml_user_name_attribute = username
...
...
<saml:AttributeStatement>
  <saml:Attribute Name="userID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">johndoe</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
...

In the examples above, the memsql.cnf file is configured to look for an attribute named username, but the SAML response has an attribute named userID. This configuration mismatch will result in errors, but can be easily resolved by updating the memsql.cnf file with userID instead of username.

The SAML Response did not have any Assertions

If your SAML response does not contain any assertions about a subject, this error will appear. Ensure that the identity provider is returning a valid SAML response that contains assertions about the authenticated user.

Assertion is no longer valid

If a SAML assertion contains a <saml:Conditions> element with a NotOnOrAfter attribute that is set to a time in the past, the assertion is invalid. If the SAML response originated from a trusted source, it is likely being delayed excessively during transport.

Assertion is not yet valid

If a SAML assertion contains a <saml:Conditions> element with a NotBefore attribute that is set to a time in the future, the assertion is invalid until the future date. If the SAML response originated from a trusted source, the identity provider could have an incorrect system time setting.

Assertion contains an unacceptable AudienceRestriction

If a SAML assertion contains an <saml:AudienceRestriction> element, the specified audience must match the saml_assertion_audience engine variable’s value in memsql.cnf. If the audiences do not match, the assertion is invalid.

Consider the following example, which will cause an error:

...
saml_assertion_audience = https://memsql.com
...
...
<saml:AudienceRestriction>
  <saml:Audience>https://my.example.com/service/</saml:Audience>
  <saml:Audience>https://my.otherexample.com/service/</saml:Audience>
</saml:AudienceRestriction>
...

In the examples above, the memsql.cnf file is configured to look for an audience named https://memsql.com, but the SAML response does not have that audience listed. This configuration mismatch will result in errors.

Encryption or Signing Errors

You may encounter errors if there are any misconfigured or nonexistent keys when a SAML response is processed, especially if it contains encrypted elements. These errors include:

  • Digital signature does not validate with the supplied key
  • Unable to decrypt EncryptedKey element
  • Unable to decrypt EncryptedData element

Digital signature does not validate with the supplied key

If a SAML response is digitally signed using an identity provider’s private key, it must be validated using the paired public key. This public key’s file path is specified in the memsql.cnf file for the saml_x509_certificate variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.

Unable to decrypt EncryptedKey element

Since asymmetric encryption is often inefficient for encrypting large amounts of data, it is standard for a SAML identity provider to encrypt SAML responses with a new symmetric key that it generates for each response. The SAML identity provider then encrypts the symmetric key using a supplied public key, and adds the result to the SAML response as an EncryptedKey element.

If a EncryptedKey element is encrypted using by the identity provider using a supplied public key, it must be decrypted using the paired private key. This public key’s file path is specified in the memsql.cnf file for the saml_private_decryption_key variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.