Issue description

Possible causes 

• Invalid SAML structure: The fundamental XML structure of the SAML response does not conform to SAML specifications.
• Incomplete or corrupted SAML response: The SAML response was truncated, altered, or corrupted during transmission.
• Generic processing error: ADSelfService Plus encountered an unspecific error when attempting to validate the incoming SAML response.
• Mismatched configuration: Discrepancies between the SAML configuration on the identity provider (IdP) and service provider (SP) sides (e.g., incorrect ACS URL, Entity ID, or certificate).
• Time synchronization issues: Significant time drift between the IdP and ADSelfService Plus servers can invalidate assertions due to timestamp checks.

Prerequisites

• Ensure time synchronization (NTP) between the IdP and ADSelfService Plus servers to prevent validation failures.
• Administrator access to both the ADSelfService Plus portal and the IdP configuration interface.

Resolution

1. Review IdP logs: Examine your IdP's logs for any error messages or warnings that occurred during the generation of the SAML assertion for the affected user.
2. Verify required attributes: Confirm that the SAML response includes all necessary attributes for ADSelfService Plus, such as:
1. NameID: The unique identifier for the user.
2. Email address: Often used for user mapping.
3. UserPrincipalName (UPN): Commonly used in Active Directory environments.
3. Regenerate IdP metadata: If there have been recent changes to your IdP's configuration (e.g., certificate renewal, endpoint changes), regenerate and export the latest IdP metadata file. This ensures ADSelfService Plus has the latest information.

1. Log in to ADSelfService Plus with administrator credentials.
2. Navigate to Admin > Customize > Logon Settings > Single Sign-On.
3. Verify that the Assertion Consumer Service (ACS) URL and Entity ID displayed match the values configured in your IdP for the ADSelfService Plus application.
4. If you regenerated the IdP metadata in Step 1, import this new metadata file into ADSelfService Plus. This will automatically update the ACS URL, Entity ID, and certificate.
5. Click Save to apply the changes and attempt to log in again.

Troubleshooting tips   

• Use SAML Tracer: Install a browser extension like SAML Tracer to inspect the raw SAML response exchanged between the IdP and SP, helping you identify if it's incomplete, malformed, or missing expected attributes.
• SAML binding type: If your SAML response is being sent via HTTP-Redirect binding, very large assertions might exceed URL length limits and be truncated. If supported by your IdP, switch to HTTP-POST binding, which is more robust for larger responses.
• Load balancers/proxies: If load balancers, reverse proxies, or web application firewalls are in front of either ADSelfService Plus or your IdP, verify that they are not altering, compressing, or blocking any part of the SAML response in transit.

How to reach support