Page History
Anchor | ||||
---|---|---|---|---|
|
For troubleshooting, it is better to run the SSO URL provided by onelogin.saml2.idp.single_sign_on_service.url of the onelogin.saml.properties. Ideally, ideally, on the AD FS server.
This section provides solutions to the basic problems, such as:
Anchor | ||||
---|---|---|---|---|
|
Signature validation failed
If you see the following error:
...
onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…
Solution
...
- Get a valid certificate from AD FS;
- modify onelogin.saml.properties (onelogin.saml2.idp.x509cert);
- restart Yellowfin;
- update Yellowfin SAML Bridge relying party metadata in AD FS.
Styleclass | ||
---|---|---|
| ||
...
Anchor | ||||
---|---|---|---|---|
|
Illegal Key Size
You may see the following exception in the Yellowfin logs:
...
The Original Exception was java.security.InvalidKeyException: Illegal key size
Solution
...
When inspecting the SAML response payload below, the data is encrypted with AES-256:
...
- Copy the local_policy.jar and US_export_policy.jar files to this directory: [JAVA_HOME]/jre/lib/security.
Styleclass | ||
---|---|---|
| ||
...
Anchor | ||||
---|---|---|---|---|
|
Invalid Name ID
SAML requires the name ID as part of the Identity Provider response. If you provide the incorrect name ID of your AD FS, then you will see the following exception in your browser:
...
DEBUG com.onelogin.saml2.SamlAuth - processResponse success --> <very long line representing signing certificate>
Styleclass | ||
---|---|---|
| ||
...
Anchor | ||||
---|---|---|---|---|
|
COULD_NOT_FIND_PERSON
If you see the following error in your Yellowfin logs:
...
Then it means that you have switched off the user provision functionality, and the passed ID is not of a Yellowfin user.
Styleclass | ||
---|---|---|
| ||
Section | |||||||
---|---|---|---|---|---|---|---|
|