Created by John McMahon on Feb 12, 2022
Purpose (problem description)

This page helps with issues that one may face when logging into the dashboard with SAML protocol and receives the error 'Failed to Authenticate' like in the screenshot below which is indicating an issue with the application authenticating in ADFS:

For details on configuring SAML/ADFS in the dashboard, please see the documentation here:  User authentication

Observed in CAST Version, CAST Extension Version, CAST Component Version


Release

Yes/No

CAST 8.3.3 or higher(tick)
Dashboard 1.7 or higher(tick)
Observed in RDBMS

RDBMS

Yes/No

Oracle Server N/A
Microsoft SQL Server N/A
CSS3 N/A
CSS2 N/A
Step by Step scenario
  1. Configure the dashboard for use for SAML
  2. Try to login with SAML authentication
Action Plan

Perform the below actions

  1. Confirm that you have followed the configuration directions in the documentation that is located here:  User authentication and have verified the results with the ADFS administrators
  2. Confirm that you are not using a self-signed certificate in your configuration;  this is a certificate that is not signed by a certificate authority.  See here for more information on self-signed certificates:  https://en.wikipedia.org/wiki/Self-signed_certificate
  3. Confirm that you are not using localhost when generating the sping_metadata xml file
  4. Confirm that you have configured Tomcat for https and that it is working properly. You can see more on this in the documentation here:  Configuring Apache Tomcat to use secure https protocol
  5. Turn on tracing  for SAML and check the restapi.log for messages. 
    1. For assistance with finding the restapi.log, please see the page here :  CAST Management Studio - Information - How to find logs 
    2. For assistance with turning on tracing, please see the page here:  Configuring the Log and Audit Trail (there is a section for debugging SAML similar to debugging LDAP in the log4j2.xml file)
    3. If the error message in the restapi.log is:  Signature verification failed
      1. Verify that the certificate used for SAML is up to date and accurate with the ADFS/SAML administrators
      2. In certain cases, you may need to add the x509 certificate used by SAML to the java keystore being used
    4. If the errors indicate a problem with the configuration, re-verify the configuration and especially the location of the java keystore.
      1. For related documentation, please see the page here:  Configuring Apache Tomcat to use secure https protocol

    5. There is a tool https://www.samltool.com/validate_response.php to validate if the saml response is valid. You could use this tool to check the response.  

      Please note that any private key value that you enter or we generate is not stored on this site or on the OneLogin platform. Also, notice that this tool is provided via an HTTPS URL to ensure that private keys cannot be stolen. For extra security, please do not use production keys on this site.


      1. You can also see some examples for the response here:  https://www.samltool.com/generic_sso_res.php
  6. If the problem you are facing do not match any case listed in this page, report your problem to CAST Technical Support and provide the following Relevant input:

 

Notes/comments

Ticket # 23245 

Related Pages