Open a ticket online for technical assistance with troubleshooting, break-fix requests, and other product issues. Customers who viewed this article also viewed. Although there are other issues you might encounter, this document will try to provide direction to help resolve some basic issues you might encounter. After completing the initial configuration, it is a good idea to confirm that the configuration is correct.
To confirm the configuration is correct:. Review the event log and look for Event ID For information on how to perform these configurations click HERE. This service location is not necessarily the FQDN of the server. Where do I find the federation Metadata file location? Scroll the list to the Metadata section. You are able to login and view the apps, but receive error Cannot Start App when trying to launch? One issue you might encounter is being able to authenticate to StoreFront but receive an error when trying to launch apps.
The user principal name could not be found. Failed to launch the resource 'Controller. FasException, Citrix. Example: administrator domain. Error: The Citrix servers do not trust the server.
Description: The Citrix servers do not trust the server. Was this page helpful? Thank you! Sorry to hear that. Please provide article feedback. Article feedback You rated this page as You rated this page as. Please provide article feedback Feel free to give us additional feedback!
What can we do to improve this page? Comment field is required. Name Name is required. Email Email address is required. Close Submit. Search Citrix Discussions. Get Additional Support.
Open a Case Open a ticket online for technical assistance with troubleshooting, break-fix requests, and other product issues. Open a Case Online. Share this page.If a user does not see the "Sign In" button while trying to login, double-check that they did not mistype the instance URL e. Check if the "mixed-mode sign-in" option is enabled in the SSO Settings; if it is, the product is working as designed. Mixed-mode sign-in causes the regular login page to be presented for normal instance logins but allows for SSO logins to be initiated from within an IdP system this feature is most typically utilized for SSO-powered embedding of cards in external systems where SSO is not desired for regular sign-ins.
The user does not have permissions within the IdP to use Domo. Typically, IdP systems will have a permission system built into them to allow different users to be granted access to different tools; make sure the user trying to sign in to Domo has access to use Domo in the IdP settings.
If a user receives an error while signing in, and the error is displayed on a Domo-branded webpage, the issue may be:. When this option is enabled, users must be created manually and cannot be auto-generated when logging in via SSO. If the above overview of general items to consider does not reveal the cause of your login failures, please continue with the advanced troubleshooting below.
Depending on settings you choose in Domo, it may also contain a digital certificate to further confirm that the login request originated from Domo. This message contains identifying information about the person who is signing in so that Domo knows which Domo user they belong to. It also contains a digital certificate to confirm that the login response originated from your IdP. IdP performs some method of authentication and confirmation that the user has permission to login to Domo from that system.
Domo reviews the SAML response packet to confirm that it contains the correct authorization information from the IdP and allows the user to login. If the user has already logged into the IdP recently, for Domo or even another service, the IdP may skip the process of asking for username and password and immediately redirect back to Domo. If both of the above scenarios occur together, the whole login process may be invisible to the user, aside from a possible second delay while all of the redirects and other steps occur in the background.
Right-click anywhere in the main window and choose "Inspect"; this will open the Chrome Dev Tools pane.
Troubleshooting Single Sign-On Using SAML
In the Dev Tools pane, select the "Network" tab, then check the box that says "preserve log. Click "Sign In" to proceed to your IdP's login page. You will see a network communication record in the list below the Filter field. Click on it and navigate to the "Headers" tab of that record.
In the Headers tab, scroll down to the "Form Data" section. The decoded, formatted SAML Request can still be daunting to try and interpret, but rest assured, there are only a couple items here to be reviewed:.
The x. If you have a certificate file, you can open it in a text editor to view the certificate.If you've got a moment, please tell us what we did right so we can do more of it. Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Use the information here to help you diagnose and fix issues that you might encounter when working with SAML 2. The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings:.
The attribute value is an identifier for the user and is typically a user ID or an email address. Make sure to use the exact name of your role, because role names are case sensitive. Correct the name of the role in the SAML service provider configuration. This error can also occur if the federated users do not have permissions to assume the role. The role also contains conditions that control which users can assume the role.
Ensure that your users meet the requirements of the conditions. This error can occur if the RoleSessionName attribute value is too long or contains invalid characters.
The maximum valid length is 64 characters. This error can occur when federation metadata of the identity provider does not match the metadata of the IAM identity provider.
For example, the metadata file for the identity service provider might have changed to update an expired certificate. Download the updated SAML metadata file from your identity service provider. This error can occur if the issuer in the SAML response does not match the issuer declared in the federation metadata file. This metadata file includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response assertions that are received from the IdP.
Also, the x. If the key size is smaller, the IdP creation fails with an "Unable to parse metadata" error. This error can occur if the name of the provider that you specify in the SAML assertion does not match the name of the provider configured in IAM.
You can specify a value from seconds 15 minutes up to the maximum session duration setting for the role. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Document Conventions.Before contacting support, try the troubleshooting solutions available in the knowledge base on Hi.
This issue might occur in a multi-node environment. If the plugin does not get activated on all nodes, an error like the following appears:.How to troubleshooting the SAML Single Sign On Plugin for Jira, Confluence, Bitbucket or Bamboo
EcmaError: [JavaPackage org. AuthnRequestBuilder] is not a function. In other words, the site does not take up the full page, but rather loads as a page in your instance.
Note: The instance does not support solutions provided by external sites.
StoreFront SAML Troubleshooting Guide
Table 1. If the plugin does not get activated on all nodes, an error like the following appears: org. This error occurs because the plugin was not active and did not load the.
Therefore, the code appears to be missing. Contact Technical Support to restart nodes that are missing the plugin. By default, CMS pages are public and therefore do not require authentication.
SAML does not redirect users to the appropriate page after authentication. Determine if the relay state is passed out to the IdP and then passed back during authentication. For Internet Explorer, use a third-party application such as Fiddler. The goal is to watch the requests pass from the client browser to the instance, and from the client to the IdP. Error message: "is not a function.This topic provides information about resolving issues that can occur when you configure SAML authentication.
Most issues occur because metadata that you import from the IdP, or assertion names that you enter, do not match the corresponding IdP attributes. Tableau Online requires the IdP assertion that contains user email address. In addition to checking Steps 1—5, make sure that users' email addresses match between Tableau Online and the IdP. The IdP can fail to return the sign-in page for any of the following reasons:.
For a SAML site, the Full Name field is populated with the email address if the assertions for first and last name or full name are not provided in Step 5 of the Authentication page. SAML authentication takes place outside Tableau Onlineso troubleshooting authentication issues can be difficult. However, login attempts are logged by Tableau Online. You can create a snapshot of log files and use them to troubleshoot problems.
If a user is having trouble being authenticated on Tableau Onlineyou should examine the log file to ensure that email attribute values returned by the IdP match the email addresses of users. These tools require TableauID authentication configured when Tableau Online was originally provisioned.
Tableau Online Help. Required assertions and metadata do not map correctly Most issues occur because metadata that you import from the IdP, or assertion names that you enter, do not match the corresponding IdP attributes. Identity provider does not display sign-in page A user provides his or her user name on the Tableau Online sign-in page, Tableau Online redirects the request to the identity provider IdPbut the IdP does not return its SAML sign-in page.
The IdP does not recognize the authentication request received. Unable to authenticate users when using single sign-on SAML authentication takes place outside Tableau Onlineso troubleshooting authentication issues can be difficult. To download the log file: Sign in to Tableau Online. Display the Authentication page, and then under Step 7, click Download log file. Back to top.Setting up video conferencing for remote work?
Troubleshooting SAML 2.0 Federation with AWS
Set up Meet to help your team work remotely. This value is case-sensitive. You might see one of the following three related error messages. Wait and then try the flow again.
Contact Google Cloud Support. This error occurs if you are trying to delete a custom schema that is associated as an attribute mapping for a SAML app that has already been deleted.
While loading the schemas in NameID Mapping or Attribute Mappingif the schema service times out or displays a backend exception, a error appears at the top of the screen. If the Service Provider Config service is unavailable a error appears at the top of the screen when you click Finish.
Click the overflow menu. IdP-initiated Flow Invalid idpid provided in the request. SAML app user schema deletion error message This error occurs if you are trying to delete a custom schema that is associated as an attribute mapping for a SAML app that has already been deleted. Was this helpful? Yes No. Start your free day trial today Professional email, online storage, shared calendars, video meetings and more.This topic provides information about resolving issues that can occur when you configure SAML authentication.
Redirect and SOAP are not supported. If any of these settings were not correct, make appropriate updates and then perform the SAML configuration steps again, starting with generating and exporting the XML metadata document from Tableau Server. These tools require the authentication configured when Tableau Server was originally installed either local authentication or AD.
Failed to find the user in Tableau Server. This error typically means that there is a mismatch between the usernames stored in Tableau Server and provided by the IdP. To fix this, make sure that they match. Additionally, the vizportal logs set to debug mode contain the following message:. For more information, see Change Logging Levels. This combination of messages indicates a misconfiguration of an external proxy server that is offloading SSL for the connection to Tableau Server.
SAML authentication takes place outside Tableau Server, so troubleshooting authentication issues can be difficult.
However, login attempts are logged by Tableau Server. You can create a snapshot of log files and use them to troubleshoot problems. In Tableau Server 9. Confirm that the Tableau Server you are configuring has either a routeable IP address or a NAT at the firewall that allows two-way traffic directly to the server.
Tableau Server on Windows Help. Back to top.