Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
Common SSO Errors and how to troubleshoot
Answer ID 12238 |
Last Review Date 09/26/2023
I am receiving a SSO error, what does it mean?
Environment:
Oracle B2C Service SSO
Resolution:
The Security Log can help you troubleshoot SSO errors. This log can be accessed in the agent desktop via the Configuration button > Site Configuration folder > Logs > Security Log button in the ribbon. You can use this log to see what error related to SSO is recorded to help you troubleshoot the issue. Below are some errors you may see recorded in the Security Log and tips on what to look for to resolve the error;
Click the 
next to the appropriate heading below to expand that section for viewing.
next to the appropriate heading below to expand that section for viewing.When this error presents, there are a few things you can check;
- Is the signing certificate expired?
- Is the signing certificate and certificate chain if applicable, uploaded into the File Manager? If the 'Do Not Verify Trust Chain for Certificates' on the Identity provider in the Single Sign-On Configurations component is selected, you do not need to upload the full chain into the File Manager.
- Self signed certificates must be uploaded into the File Manager > Additional root certificates. SSO will not work as expected if the self signed certificates is uploaded into the File Manager > Intermediate certificates.
- If the signing certificate includes a certificate chain (there are intermediate certificates), does the chain verify? You can use openssl in Linux to check by using this command: openssl verify -CAfile <root name>.pem -untrusted <intermediate>.pem <signing>.pem
- For customer portal SSO, is the fingerprint of the signing certificate in the SAML_20_SIGN_CERTS configuration setting? Remove extraneous fingerprints from this configuration setting.
- Is there more than one certificate in the File Manager with the same Issuer and Subject but different fingerprints? If there are two certificates in your site that have the same Issuer and Subject and different fingerprints, SSO will not work as expected on some authentication attempts. For customer portal SSO, you can add 'CERT_VALIDATION:IGNORE_TRUST to the SAML_20_SIGN_CERTS configuration setting as noted in answer ID 11049. For agent login SSO that is set up through the Single Sign-On Configurations component, you can select the 'Do not verify trust chain for certificates' option on the Identity Provider.
When this error presents, check the following on staff account on the Oracle B2C Service side;
- Is the staff account active?
- Confirm the parameter on the account you are using to authenticate matches what the IdP is passing for authentication. For example, if authenticating on login, does the login on the staff account match the login that the IdP is sending? Oracle B2C Service is case sensitive for logins so the value in the login must match exactly what the IdP is sending, including any capital letters.
When this error presents, the IdP is sending the SAMLResponse too early or too late so it is not valid when it hits our servers.
- If you have an Identity Provider set up in the Single Sign-On Configurations component for agent login, you can add a skew to the Token Validity Offset (in seconds) field.
- If you are using IdP-initiated SSO for the agent desktop or for customer portal, work with your IdP to to add a time skew to the SAMLResponse. The other option is to have the IdP sync to a clock.
"Error validating SSO token subject (e.g. incorrect SAML recipient source or unsupported confirmation method)"
When this error presents, check the Subject in the SAMLResponse and look for the following;
- Is the Recipient URL correct? For example, if your site has end user SSL enabled, does the URL include https instead of http:
http://mysite.custhelp.com/ci/openlogin/saml/
- Are there extra characters in the Recipient URL in the Subject? For example, see the following Recipient URL with extra characters appended to the end of it. This will need to be fixed on the IdP side:
Recipient="https://mysite.custhelp.com/cgi-bin/mysite.cfg/php/admin/sso_launch.php?/"/>
When this error presents, there is a mismatch between the NameID Format set on the Identity Provider in the Single Sign-On Configurations component and the nameid-format in the SAMLResponse from the IdP.
- Check what you have set in the NameID Format field on your Identity Provider in the Single Sign-On Configurations component. If you do not have a value set, validation is not enforced. If you do have a value set, ensure that it matches the nameid-format specified in the Subject of the SAMLResponse
- Also see Supported NameID formats in SAML response subject for supported formats in the Subject of the SAMLResponse
"Unable to validate the signature on the SSO token (e.g. corrupt signature or certificate is missing from the SSO token)"
When this error presents, it usually means the signing certificate is not included in the SAMLResponse
- Capture the SAMLResponse from your IdP and verify if you see the signing certificate in it.
"Error parsing the SSO token"
When this error presents, it is typically due to the Subject not being included in the SAMLResponse and there is no value to validate against on the Oracle B2C Service side.
- Check the SAMLResponse to see if a Subject is present.
- This error can also present if the Subject is missing certain information such as the nameid-format
In the Single Sign-On Configurations component, check the following:
- The Identity Provider is marked as active
- The Provider Entity ID matches the entity ID shown in the error message
This error will present when you have values in the SEC_VALID_ADMIN_HOSTS configuration setting and SSO enabled on the Browser User Interface (BUI). When a host that is not configured in the SEC_VALID_ADMIN_HOSTS configuration setting attempts to access the BUI URL for your site, this error will record in the Security Log. To help determine what host is attempting to access your BUI, you can request web logs and look for a 403 http status code for a GET to /cgi-bin/<site_interface>.cfg/php/sso/saml2/idp/get_token.php
Check any customizations called by pre_login, pre_login_redirect, or other hooks. It is possible that failures of hooked methods can cause the login attempt to restart, and the system thinks that the token is being reused.
Other troubleshooting scenarios to help diagnose the issue:
- If you are not seeing any errors recorded to the Security Log, check the ACS URL. If the ACS URL is incorrect, the POST of the assertion is not being processed on the Oracle B2C Service side and an error will not be recorded.
- If you are attempting to log into the Browser User Interface (BUI) with SSO and the .NET console launches instead, ensure your IdP has set the relaystate. For IdP-initiated SSO, the relaystate is very important. If you are logging into the BUI, the relaystate needs to contain the URL for your BUI. See also Using external identity provider (IdP) with Browser UI/BUI.
- If you have set up a value in the PTA_EXTERNAL_LOGIN_URL that includes the %next_page% variable, the contact will not be redirected to the original page they were attempting to access before they were redirected to the IdP for SSO authentication. This is due to customer portal does not support relay states or deep linking. The %next_page% variable is essentially a relaystate. See redirect alternatives in Redirect a user on customer portal after SSO authentication .
- If your SAMLResponse is encrypted, you will not be able to see the details being passed for authentication. You will need to work with your IdP to get an unencrypted SAMLResponse.
