This topic does not apply to MemSQL Helios.
You may encounter problems with the SAML 2.0 authentication feature during initial configuration, user creation, or authentication. This section provides troubleshooting information for common error scenarios, which can be organized into two categories:
- SAML assertion errors
- Encryption or signing errors
SAML Assertion Errors
You may encounter errors if your SAML response isn’t properly formed, or if there is a configuration mismatch between the memsql.cnf file and the expected elements in a SAML Assertion. These errors include:
- The SAML Assertion did not have a valid saml_user_name_attribute Attribute
- The SAML Response did not have any Assertions
- Assertion is no longer valid
- Assertion is not yet valid
- Assertion contains an unacceptable AudienceRestriction
The SAML Assertion did not have a valid saml_user_name_attribute Attribute
This error is often caused by a configuration mismatch. Ensure that your saml_user_name_attribute
in the memsql.cnf file has been properly configured to identify the correct username AttributeStatement
found in your identity provider’s SAML response.
Consider the following example, which will cause an error:
...
saml_user_name_attribute = username
...
...
<saml:AttributeStatement>
<saml:Attribute Name="userID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">johndoe</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
...
In the examples above, the memsql.cnf file is configured to look for an attribute named username
, but the SAML response has an attribute named userID
. This configuration mismatch will result in errors, but can be easily resolved by updating the memsql.cnf file with userID
instead of username
.
The SAML Response did not have any Assertions
If your SAML response does not contain any assertions about a subject, this error will appear. Ensure that the identity provider is returning a valid SAML response that contains assertions about the authenticated user.
Assertion is no longer valid
If a SAML assertion contains a <saml:Conditions>
element with a NotOnOrAfter
attribute that is set to a time in the past, the assertion is invalid. If the SAML response originated from a trusted source, it is likely being delayed excessively during transport.
Assertion is not yet valid
If a SAML assertion contains a <saml:Conditions>
element with a NotBefore
attribute that is set to a time in the future, the assertion is invalid until the future date. If the SAML response originated from a trusted source, the identity provider could have an incorrect system time setting.
Assertion contains an unacceptable AudienceRestriction
If a SAML assertion contains an <saml:AudienceRestriction>
element, the specified audience must match the saml_assertion_audience
engine variable’s value in memsql.cnf. If the audiences do not match, the assertion is invalid.
Consider the following example, which will cause an error:
...
saml_assertion_audience = https://memsql.com
...
...
<saml:AudienceRestriction>
<saml:Audience>https://my.example.com/service/</saml:Audience>
<saml:Audience>https://my.otherexample.com/service/</saml:Audience>
</saml:AudienceRestriction>
...
In the examples above, the memsql.cnf file is configured to look for an audience named https://memsql.com
, but the SAML response does not have that audience listed. This configuration mismatch will result in errors.
Encryption or Signing Errors
You may encounter errors if there are any misconfigured or nonexistent keys when a SAML response is processed, especially if it contains encrypted elements. These errors include:
- Digital signature does not validate with the supplied key
- Unable to decrypt EncryptedKey element
- Unable to decrypt EncryptedData element
Digital signature does not validate with the supplied key
If a SAML response is digitally signed using an identity provider’s private key, it must be validated using the paired public key. This public key’s file path is specified in the memsql.cnf file for the saml_x509_certificate
variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.
Unable to decrypt EncryptedKey element
Since asymmetric encryption is often inefficient for encrypting large amounts of data, it is standard for a SAML identity provider to encrypt SAML responses with a new symmetric key that it generates for each response. The SAML identity provider then encrypts the symmetric key using a supplied public key, and adds the result to the SAML response as an EncryptedKey element.
If a EncryptedKey element is encrypted using by the identity provider using a supplied public key, it must be decrypted using the paired private key. This public key’s file path is specified in the memsql.cnf file for the saml_private_decryption_key
variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.