Issue description   

This error indicates a failure in the SAML authentication process, preventing access to the application.

Possible causes   

1. Misconfigured SAML settings: Incorrect configurations in either ADManager Plus or the Identity Provider (IdP) can lead to authentication failures.

2. Certificate issues: Problems with the SAML certificate, such as expiration or mismatches, can disrupt the authentication process.

3. Network connectivity problems: Network issues between ADManager Plus and the IdP can prevent successful authentication.

4. Invalid redirect URI: If the customer has configured an incorrect or mismatched Redirect URI in the Identity Provider settings, the authentication request may fail.

5. Incorrect entity ID or audience URI: If the "Entity ID" configured in ADManager Plus does not match exactly what is configured in the IdP, the assertion will be rejected.

6. Missing or incorrect assertion attributes: Some IdPs need to send specific attributes (like Username, Email, etc.). If mandatory attributes are missing or named incorrectly, login will fail.

7. Incorrect entity ID or audience URI: If the "Entity ID" configured in ADManager Plus does not match exactly what is configured in the IdP, the assertion will be rejected.

Prerequisites   

• Administrative access: Ensure you have administrative privileges in both ADManager Plus and the Identity Provider.

• Valid SAML certificate: Verify that the SAML certificate is valid and correctly configured.

• Network stability: Confirm that there are no network issues impacting the connectivity between ADManager Plus and the IdP.

• Correct redirect URI: Check that the Redirect URI in the IdP settings matches the ADManager Plus configuration.

Resolution  

Step 1: Verify SAML configuration in ADManager Plus   

1. Log in to ADManager Plus as an administrator.

2. Navigate to Admin > Logon Settings > Single Sign-On (SSO).

3. Ensure that the SAML SSO settings match the configurations provided by your IdP.

Step 2: Check identity provider configuration   

1. Access the administrative console of your IdP (Microsoft Entra ID, Okta, ADFS, or a Custom service provider).

2. Verify that the configurations align with the settings in ADManager Plus.

3. Ensure that users are assigned access to the ADManager Plus application within the IdP.

Step 3: Validate SAML certificate   

1. Confirm that the SAML certificate used in ADManager Plus is valid and matches the one configured in the IdP.

2. If necessary, update or renew the certificate to ensure it hasn't expired or tampered.

Step 4: Verify and correct the redirect URI   

1. In your Identity Provider's application configuration, check the Redirect URI (Assertion Consumer Service URL).

2. Ensure that it matches exactly with the SAML settings in ADManager Plus.

3. Update the Redirect URI if needed and save the changes.

Step 5: Test network connectivity   

1. Ensure that ADManager Plus can communicate with the IdP without any network interruptions.

2. Check for firewall settings or proxies that might be blocking the SAML authentication requests.

Step 6: Review logs for detailed errors   

1. Examine the serverout logs of ADManager Plus to identify specific error messages related to SAML authentication ( look for the keyword username).

2. Use these details to pinpoint and address the root cause of the authentication failure.

Tips   

• Keep SAML certificates up to date to prevent unexpected authentication issues.

• Ensure consistent network connectivity between ADManager Plus and the IdP to maintain reliable SAML authentication.

• Always verify that the configured Redirect URI in the IdP matches exactly with ADManager Plus to avoid authentication failures.

• Regularly check for updates or patches for both ADManager Plus and your IdP to address potential security vulnerabilities or bugs.

How to reach support