SAML Authentication

Owned by david.dillon
Last updated: Nov 28, 2016 by Adrian Hui (Deactivated)
2 min read

When setting up SAML authentication for Community Portal or SynWeb you currently have 2 options to choose from.

 

Troubleshooting

 FAQ

Common

Q: I am getting "No SAML response found" error

A: This is commonly shown only when the IDP redirect back to the SP Application without any response, verify the certificate encoding is correct or the URL to the IDP is configured correctly.

 

Q: I am getting "No tenant code passed."

A: Specific to multi tenant modes, multi tenant must be passed in either by a) Query String Value (url encoded in relay state sent from IDP) or b) Claim attribute value 'tc' from IDP.

 

Q: What does "Claim Attribute was not found in SAML response" mean?

A: Claim attribute is the property name of which the IDP returns the user login data by. e.g. If you set the ClaimAttributeName to NameID, it will search for the node /samlp:Response/saml:Assertion/saml:Subject/saml:NameID from the decoded SAML response and extract the inner value. Of which it will use to attempt to match an user to.

 

Q: What fields of the community table are being matched with a claim attribute?

A: For both SynWeb and Community Portal, the Claim Attribute checks against: Network Login (domain prefixes gets excluded), ConfigUsersLoginName, IdamLogin, CommunityGUID. For more detail, execute

exec spsGetUserLoginData @SelectByValue = 'claim attribute value'

 with @SelectByValue as an seach parameter to see what records are being returned.

 

Q: Can multiple community members share the same Network login?

A: No each network login must only be associated to a single community member.

SynWeb

Q: Can parents who are also staff login to SynWeb?

A: Yes, community members who have a Group/User security maintenance & config user login name will have the ability to login to both SynWeb and community portal. Under the same credentials.

Community Portal

Viewing Logs

Any error and exceptions are now being logged to the ExceptionLog table with a error code (Community Portal/Synweb v68 and Above). You can resolve the error codes and the reasons by attempting to resolve the code by matching it against the table here.

Enable text file logging on SynWeb/Community Portal (for versions prior to v68):

  1. Modifying \SynWeb\log4net.config and changing the first line from: <log4net threshold="OFF"> to: <log4net>
  2. Give write access for IIS_IUSRS group to the \SynWeb\logs folder
  3. Try logging in with SAML auth then view the events posted in \SynWeb\logs\log_everything.txt or \CommunityPortal\logs\log_everything.txt

This will show where the authentication steps progressed to before it failed.