Skip Navigation
Expand
  • Advanced SearchOpens new dialog
    Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
    Search Tips
    Filter by product
    Filter by category
Common SSO Errors and how to troubleshoot
Answer ID 12238   |   Last Review Date 11/15/2024

I am receiving a SSO error, what does it mean?   

Environment:
 
Oracle B2C Service SSO
 
Resolution:
 
The Security Log can help you troubleshoot SSO errors. This log can be accessed in the agent desktop via the Configuration button > Site Configuration folder > Logs > Security Log button in the ribbon. You can use this log to see what error related to SSO is recorded to help you troubleshoot the issue. Below are some errors you may see recorded in the Security Log and tips on what to look for to resolve the error;
 
Click the plus sign next to the appropriate heading below to expand that section for viewing.
 
"Error validating the certificate used to sign the SSO token"
 
When this error presents, there are a few things you can check:
  • Is the signing certificate expired?
  • Is the signing certificate and certificate chain if applicable, uploaded into the File Manager? If the 'Do Not Verify Trust Chain for Certificates' on the Identity provider in the Single Sign-On Configurations component is selected, you do not need to upload the full chain into the File Manager.
  • Self signed certificates must be uploaded into the File Manager > Additional root certificates. SSO will not work as expected if the self signed certificates is uploaded into the File Manager > Intermediate certificates.
  • If the signing certificate includes a certificate chain (there are intermediate certificates), does the chain verify? You can use openssl in Linux to check by using this command: openssl verify -CAfile <root name>.pem -untrusted <intermediate>.pem <signing>.pem
  • Ensure that no intermediate or root certificates higher in the chain are expired. This will break validation even if CERT_VALIDATION:IGNORE_TRUST is set.
  • For customer portal SSO, is the fingerprint of the signing certificate in the SAML_20_SIGN_CERTS configuration setting? Remove extraneous fingerprints from this configuration setting.
  • Is there more than one certificate in the File Manager with the same Issuer and Subject but different fingerprints? If there are two certificates in your site that have the same Issuer and Subject and different fingerprints, SSO will not work as expected on some authentication attempts. For customer portal SSO, you can add 'CERT_VALIDATION:IGNORE_TRUST to the SAML_20_SIGN_CERTS configuration setting as noted in Answer ID 11049: Using multiple certificates for Customer Portal SSO
 
"No account matching token reference found"
 
When this error presents, check the following on staff account on the Oracle B2C Service side;
  • Is the staff account active?
  • Confirm the parameter on the account you are using to authenticate matches what the IdP is passing for authentication. For example, if authenticating on login, does the login on the staff account match the login that the IdP is sending? Oracle B2C Service is case sensitive for logins so the value in the login must match exactly what the IdP is sending, including any capital letters.
 
"Token or token reference is expired or not yet valid"
 
When this error presents, the IdP is sending the SAMLResponse too early or too late so it is not valid when it hits our servers.
  • If you have an Identity Provider set up in the Single Sign-On Configurations component for agent login, you can add a skew to the Token Validity Offset (in seconds) field.
  • If you are using IdP-initiated SSO for the agent desktop or for customer portal, work with your IdP to to add a time skew to the SAMLResponse. The other option is to have the IdP sync to a clock.
 
"Error validating SSO token subject (e.g. incorrect SAML recipient source or unsupported confirmation method)"
 
When this error presents, check the Subject in the SAMLResponse and look for the following;
  • Is the Recipient URL correct? For example, if your site has end user SSL enabled, does the URL include https instead of http:

    http://mysite.custhelp.com/ci/openlogin/saml/
  • Are there extra characters in the Recipient URL in the Subject? For example, see the following Recipient URL with extra characters appended to the end of it. This will need to be fixed on the IdP side:
Recipient="https://mysite.custhelp.com/cgi-bin/mysite.cfg/php/admin/sso_launch.php?/"/>
 
"The SSO token has an invalid nameid_format!"
 
When this error presents, there is a mismatch between the NameID Format set on the Identity Provider in the Single Sign-On Configurations component and the nameid-format in the SAMLResponse from the IdP.
  • Check what you have set in the NameID Format field on your Identity Provider in the Single Sign-On Configurations component. If you do not have a value set, validation is not enforced. If you do have a value set, ensure that it matches the nameid-format specified in the Subject of the SAMLResponse
  • If the SAMLResponse is encrypted, you will not see the Subject NameID format in a captured response. It is in the encrypted data in the EncryptedAssertion section and cannot be manually decrypted. Try another choice from the dropdown.
  • Also see Answer ID 10917: Supported NameID formats in SAML response subject
 
"Unable to validate the signature on the SSO token (e.g. corrupt signature or certificate is missing from the SSO token)"
 
When this error presents, it usually means the signing certificate is not included in the SAMLResponse
  • Capture the SAMLResponse from your IdP and verify if you see the signing certificate in it.
 
"Error parsing the SSO token"
 
When this error presents, it is typically due to the Subject not being included in the SAMLResponse and there is no value to validate against on the Oracle B2C Service side.
  • Check the SAMLResponse to see if a Subject is present.
  • This error can also present if the Subject is missing certain information such as the nameid-format
 
"The IdP with entity id <EntityID> is not trusted or is inactive"
 
In the Single Sign-On Configurations component, check the following:
  • The Identity Provider is marked as active
  • The Provider Entity ID matches the entity ID shown in the error message
 
"The SSO request originated from a client IP address which is not authorized, check (18) config"
 
This error will present when you have values in the SEC_VALID_ADMIN_HOSTS configuration setting and SSO enabled on the Browser User Interface (BUI). When a host that is not configured in the SEC_VALID_ADMIN_HOSTS configuration setting attempts to access the BUI URL for your site, this error will record in the Security Log. To help determine what host is attempting to access your BUI, you can request web logs
 
"The SSO token can not be reused!"
 
Check any customizations called by pre_login, pre_login_redirect, or other hooks. It is possible that failures of hooked methods can cause the login attempt to restart, and the system thinks that the token is being reused.
 
"Multiple matches for table and subject value: Multiple matches for accounts.email_address == <email>"
 
There is more than one account with the email address displayed in the message. Modify secondary accounts as needed so that there is only one account with this email address, or use a different SAML subject (such as login).
 
"No matches for table and subject valueNo matches for accounts.email_address == <email>"
 
There are no accounts with this email address. Ensure that the user's email address on the staff account in Oracle B2C Service matches what is configured in the identity provider.
 
 
 
Other troubleshooting scenarios to help diagnose the issue:
  • If you are not seeing any errors recorded to the Security Log, check the ACS URL. If the ACS URL is incorrect, the POST of the assertion is not being processed on the Oracle B2C Service side and an error will not be recorded.
  • If you are attempting to log into the Browser User Interface (BUI) with SSO and the .NET console launches instead, ensure your IdP has set the relaystate. For IdP-initiated SSO, the relaystate is very important. If you are logging into the BUI, the relaystate needs to contain the URL for your BUI. See also Using external identity provider (IdP) with Browser UI/BUI
  • If you have set up a value in the PTA_EXTERNAL_LOGIN_URL that includes the %next_page% variable, the contact will not be redirected to the original page they were attempting to access before they were redirected to the IdP for SSO authentication. This is due to customer portal does not support relay states or deep linking. The %next_page% variable is essentially a relaystate. See redirect alternatives in Redirect a user on customer portal after SSO authentication
  • If your SAMLResponse is encrypted, you will not be able to see the details being passed for authentication. You will need to work with your IdP to get an unencrypted SAMLResponse.