Like what you see? Have a play with our trial version.

Versions Compared

Old Version 3

changes.mady.by.user user-3484a

Saved on

compared with

New Version Current

changes.mady.by.user user-3484a

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top

For troubleshooting, it is better to run the SSO URL provided by onelogin.saml2.idp.single_sign_on_service.url of the onelogin.saml.properties. Ideally, ideally, on the AD FS server.

This section provides solutions to the basic problems, such as:

 

 

Anchor
failedsign
failedsign

Signature validation failed

You may If you see the following error like:

ERROR c.onelogin.saml2.authn.SamlResponse - Signature validation failed. SAML Response rejected

That Then it means that the public key which you refer referred to in onelogin.saml.properties is not valid, that is:

onelogin.saml2.idp.x509cert =MIIC2DCCAcCgAwIBAgIQfdRAAWmWko1IsimA004o3TANBgkqhki…

 

Solution

...

  • Get a valid certificate from AD FS;
  • modify onelogin.saml.properties (onelogin.saml2.idp.x509cert);
  • restart Yellowfin;
  • update Yellowfin SAML Bridge relying party metadata in AD FS.

 

Styleclass
ClasstopLink

top


...

Anchor
illegalkeysize
illegalkeysize

Illegal Key Size

You may see this the following exception in the Yellowfin logs:

org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size

The Original Exception was java.security.InvalidKeyException: Illegal key size

 

Solution

...

When inspecting the SAML response payload below, the data is encrypted with AES-256:

Refer to the EncryptionMethod Algorithm ="here: http://www.w3.org/2001/04/xmlenc#aes256-cbc"

 

By default, Java’s key size is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fixHere's a fix for this:

  • Copy the local_policy.jar and US_export_policy.jar files to this directory: [JAVA_HOME]/jre/lib/security.

 

 

Styleclass
ClasstopLink

top


...

Anchor
invalidnameid
invalidnameid

Invalid Name ID

SAML requires the name id ID as part of the Identity Provider response. If you provide the incorrect name ID of your AD FS, then you will see the following exception in your browser something like:

 

You do not pass correct name id from AD FS. Ensure that you pass the correct name id from AD FS and the name id ID and that it matches the format which expected by the SAML bridge expects (that is, onelogin.saml2.sp.nameidformat of onelogin.saml.properties).

Possible Here's a list of possible formats:

NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';

NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName';

NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName';

NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified';

NAMEID_KERBEROS   = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos';

NAMEID_ENTITY     = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity';

NAMEID_TRANSIENT  = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';

NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';

NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted';

 

Correct The example below shows a list of correct Yellowfin logs regarding to the SAML response:

DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse validated --> …

DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has NameID --> john.smith@yellowfin.bi

DEBUG c.onelogin.saml2.authn.SamlResponse - SAMLResponse has attributes: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[john.smith@yellowfin.bi]}

DEBUG com.onelogin.saml2.SamlAuth - processResponse success --> <very long line representing signing certificate>

 

 

Styleclass
ClasstopLink

top


...

Anchor
couldnotfindperson
couldnotfindperson

COULD_NOT_FIND_PERSON

If you see this the following error in your Yellowfin logs:

INFO (AdministrationService:remoteAdministrationCall) - WebserviceException caught: 8(COULD_NOT_FIND_PERSON)

That Then it means that you have switched off the user provision off and this id functionality, and the passed ID is not of a Yellowfin user.

 

 

Styleclass
ClasstopLink

top

 


 

 

Section


Column
width70

Previous topic: Bridge operation settings


Column

 Next topic: Examples