SSO Troubleshooting
When troubleshooting any SSO issue, it's important to understand how your IdP and Planview Admin Settings are configured. The following questions should be answered to help you begin diagnosing the issue:
-
How many users are experiencing the issue?
-
Is this an issue with a new setup, or is this an existing setup that's stopped working?
-
What is the expected behavior? What is the behavior you're seeing?
-
How far does a user get into the the sign in sequence before experiencing an error?
Common configuration issues
The most common configuration issues involve user profile attributes and authentication request signatures.
User profile attributes
If the naming attribute (NameID or other) differs between the IdP and Planview Admin, you'll need to appropriately configure your IdP so it sends the correct user profile attribute.
Using the user's email address as the unique identifier is the easiest option. Some organizations use other IDs to authenticate the user. If the ID is sent via the NameID, Planview Admin needs to be set up to read this as a login alias. If the ID is sent via another attribute, Planview Admin needs to be set up to read this from Username Attribute in the Advanced Configuration section of the SSO settings.
Authentication request signatures
Authentication requests must be signed using the correct signing algorithm. SHA-256 is the recommended signing algorithm. Check your IdP configuration to ensure that it uses the correct algorithm.
General Troubleshooting
To test your SSO configuration:
- Go to Settings > SSO.
- Copy the link URL for sign-in testing and send it to a user having the issue.
They will be sent to a page which will lead them through the SSO sign-in process and shown more in-depth debug messages. You can compare those messages against the messages in the table below to decide what action to take.
Common error messages
Here are some common errors you might see when interacting with Planview Admin SSO.
| Error message | Suggested action |
|---|---|
| Access has been denied by your SSO identity provider. Please contact your administrator for access to Planview Admin. |
Your IdP has sent the error "access_denied" in the SAML response back to Planview Admin. Check your IdP's logs and configuration to determine why the user's sign-in attempt failed. |
| There was an error signing you in with your SSO identity provider: ERROR_CODE |
Your IdP has sent ERROR_CODE in the SAML response back to Planview Admin. Check your IdP's logs and configuration to determine why the user's sign-in attempt failed. |
| There was an error signing you in with your SSO identity provider. Please check your SSO configuration. |
Your IdP has sent an unknown error code in the SAML response back to Planview Admin. Check your IdP's logs and configuration to determine why the user's sign-in attempt failed. |
| Your organization does not have SSO SAML metadata configured. Enter the SAML metadata, then re-run this test. |
Planview Admin has not been configured with any SAML metadata. Configure Planview Admin with your IdP's SAML metadata via the SSO settings page. |
| SAML metadata configuration is incomplete. Enter SAML metadata in your SSO settings page. |
Planview Admin has been configured with incorrect or incomplete SAML metadata. Configure Planview Admin with your IdP's SAML metadata via the SSO settings page. |
| Your SSO provider sent a SAML response that is unsigned and the identity cannot be verified. |
Your IdP has not been configured to sign SAML responses to Planview Admin. Refer to your IdP's support information and configure it to sign SAML responses to Planview Admin. |
| Error reading NameID or configured username attribute in the SAML assertion. Unable to read username from attribute: ATTRIBUTE. Check the "Username attribute" is set correctly in SSO settings. |
There is a mismatch between what the IdP sends as the user profile attribute and what Planview Admin expects. Check the Username Attribute field in the Advanced configuration section of Planview Admin's SSO settings. Ensure that the correct value is entered or clear the value if the IdP is using NameID to send the user profile attribute. |
| Cannot find original AuthnRequest. SAML response cannot be matched to an earlier authentication request. |
Planview Admin was unable to find the original AuthnRequest when it received the SAML response from your IdP. This is usually a temporary condition. The user should retry the sign-in request. |
| There was an error on the part of the SAML responder or SAML authority. Your SSO provider may not be correctly configured to support Planview Admin. |
The IdP sent a SAML response with a status code of urn:oasis:names:tc:SAML:2.0:status:Responder. Check your IdP's logs and configuration to determine why the user's sign-in attempt failed. |
| The SAML response was not successful. Status is: STATUS_CODE |
The IdP sent a SAML response with a status code of STATUS_CODE. Check your IdP's logs and configuration to determine why the user's sign-in attempt failed. |
| Could not find a valid SAML endpoint. Ensure HTTP-Redirect is configured by your identity provider and the SSO configuration updated in Planview Admin. |
Planview Admin has been configured with incorrect SAML metadata. Check the metadata configured in Planview Admin to ensure that there is at least one SingleSignOnService with a Binding of type urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. |
| SAML certificate has expired. |
The X509Certificate within the SAML metadata configured in Planview Admin has expired. Configure your IdP with an updated signing certificate and update the SAML metadata in Planview Admin. |
| SAML certificate is invalid. |
The X509Certificate within the SAML metadata configured in Planview Admin in not valid for a reason other than expiration. Configure your IdP with an updated signing certificate, and update the SAML metadata in Planview Admin. |
| User not found. |
Planview Admin understood which user was authenticated in the SAML response, but the user could not be found in Planview Admin. Check your IdP's configuration to determine which user profile attribute is being sent in the SAML response, and check that the user still exists an as active user in Planview Admin. |
| This user is deactivated. |
Planview Admin understood which user was authenticated in the SAML response, but the user is deactivated in Planview Admin. Check that the user still exists an as active user in Planview Admin. |
| Error validating SAML response. The assertion with ID ASSERTION_ID has already been used to authenticate and cannot be reused. |
The assertion in the SAML response sent by the IdP has already been seen by Planview Admin. This is usually a temporary condition. The user should retry the sign in request. |
| Error validating SAML response. The SAML response IssueInstant is not valid ... |
The assertion in the SAML response sent by the IdP is not valid due to the IssueInstant value. Check your IdP's configuration related to the system clock and clock skew allowances. |
| Error validating SAML response. The SAML response NotOnOrAfter is not valid ... |
The assertion in the SAML response sent by the IdP is not valid due to the NotOnOrAfter value. Check your IdP's system clock configuratrion and clock skew allowances. |
| Your SSO provider sent a SAML response that is unsigned and the identity cannot be verified. Ensure the SSO provider is signing SAML documents and/or assertions with a secure algorithm such as SHA-256. |
There is an issue with the SAML signing algorithm, or a mismatch between the one configured on your IdP and Planview Admin. Check your IdP's configuration to ensure it is set to sign responses and that it is set to use the SHA-256 algorithm. |
| Your SSO provider sent a SAML response with an encrypted assertion, which Planview Admin does not support. Your identity provider must be configured to send a signed, unencrypted assertion. |
The assertion in the SAML response sent by the IdP is encrypted. Planview Admin does not support encrypted assertions. Check your IdP's configuration to ensure it is set to sign responses but NOT to encrypt responses. |
| Your SSO provider sent a SAML response with the wrong assertion count. The expected count is exactly one assertion. |
The SAML response sent by the IdP had no assertions and therefore Planview Admin cannot sign a user in. Check your IdP's configuration to ensure it is properly signing SAML assertions with SHA-256 algortihm. |
| The Audience from your SSO provider: SAML_RESPONSE_AUDIENCE does not match the expected Planview Admin Entity ID: ENTITY_ID. Update the configuration of the SAML Identifier / Entity ID in your SSO provider to match the expected value. |
The Audience claim in the SAML response sent by your IdP does that match the EntityID for your organization in Planview Admin. Check your IdP's configuration to ensure the Audience claim sent in your IdP's assertions matches your organization's EntityID in Planview Admin. |
| The SAML response issuer is not valid. Issuer SAML_RESPONSE_ISSUER does not match the configured Issuer PLANVIEW_ADMIN_ISSUER. Ensure the SAML metadata in Planview Admin is correct with your SSO provider / IT department. |
The Issuer claim in the SAML response sent by your IdP does that match the expected issuer set by Planview Admin. Check your IdP configuration to ensure the Iss claim sent in your IdP's assertions matches Planview Admin's issuer. |
| The username you entered does not match the username from your SSO provider. Username from your SSO provider: SSO_USERNAME. User's email in Planview Admin: PLANVIEW_ADMIN_EMAIL. |
There is a mismatch between what the IdP is sending as the user profile attribute, and the user's email address in Planview Admin. Planview Admin is configured to expect your IdP to send the user's email address as the user profile attribute but received something else. Please check your IdP's configuration to see if it is sending the user's email address and that it matches the one on the user's profile in Planview Admin. |
| The username you entered does not match the username from your SSO provider. Username from your SSO provider: SSO_USERNAME. User's login alias in Planview Admin is empty. Set the login alias for the user and then try again. |
Planview Admin is configured to expect a login alias from the IdP, but the user's profile is Planview Admin is missing the login alias value. Add a login alias to the user's profile in Planview Admin that matches the user profile attribute the IdP will send in the SAML response or reconfigure Planview Admin to not use login aliases. |
| The username you entered does not match the username from your SSO provider. Username from your SSO provider: SSO_USERNAME. User's login alias in Planview Admin: PLANVIEW_ADMIN_LOGIN_ALIAS. Ensure the login alias is correct and matches upper and lower case letters. |
Planview Admin is configured to expect a login alias from the IdP but the user's profile in Planview Admin has a different value than the SAML response. Update the login alias on the user's profile in Planview Admin to match the user profile attribute the IdP will send in the SAML response or reconfigure Planview Admin to not use login aliases. |