Skip Navigation
Expand
OFS: Troubleshooting issues with authentication via SAML
Answer ID 12292   |   Last Review Date 08/29/2022

  
Environment:
 
Oracle Field Service
SAML authentication
 
 
Overview:
 
This document provides instructions and basic steps to help OFS customers troubleshoot issues with authentication via SAML. The instructions are applicable for scenarios when SAML authentication occasionally stopped working and there is a need to quickly identify and fix the issue.
 
 
The instructions help identify where the issue resides:
  • Customer IdP side
  • Login policy configuration
  • OFS Oracle backend
 
 
Troubleshooting Instructions:
 
Click the plus sign next to the appropriate heading below to expand that section for viewing.
 
 
   Make sure that you have an admin user for troubleshooting 
 
For troubleshooting, you should use an administrative user assigned to an internal login policy. This will let you access the environment in case of issues with SAML.
 
If such user doesn't exist, you can create one from OFS Service Console. If you don't remember the password for your administrative user, you can reset the password in same tool. To learn more:
 
1. Navigate to OFS public documentation www.oracle.com/pls/topic/lookup?ctx=cloud&id=field-service.
2. In 'All books', find 'Using Cloud Console' book and learn how to create a new admin user using OFS Service Console.
 
   Copy the SAML login policy label 
 
Define a label of SAML login policy associated with impacted users.
1. Find the impacted resource > Resource Info > copy the User Type name
2. Open Configuration > User Types > find the UT name you copied > search the Login Policy assigned to this User Type
3. Open Configuration > Login policies screen, note SAML type of policy
4. Navigate to policy details and copy the label.
 
   Check if SAML request reaches your identity provider 
 
Open a browser in incognito mode and enter the environment URL in the format {environment_name}.fs.ocs.oraclecloud.com/SAML_policy_name/
 
Note: There is limited number of OFS environments provided with addresses in etadirect.com domain zone. For those who use this domain zone, enter the URL format {environment_name}.etadirect.com/SAML_policy_name/ in the browser address bar.
 
 
Expected results: OFS redirects the request to your IdP. Login screen of your IdP is displayed.
Action: Validate Login policy configuration has correct its settings. If redirect doesn't happen you then contact OFS customer support
Conclusion: Possible causes of the error could be incorrect Login policy configuration or an issue on OFS side.
 
   Login to IdP fails 
 
OFS redirects authentication request to your IdP where you should enter the credentials. Type username and credentials and check for successful authentication and redirection back to OFS environment.
 
Expected results: User is successfully logged in IdP and redirected to OFS.
Action: Validate user credentials and check IdP settings.
1. If the credentials fail on IdP page, the credentials must be verified on the IdP server;
2. If after IdP authentication user sees an OFS screen with an error, the 'username' field must be aligned on the IdP server side and at Configuration > Login Policies > 'SAML attribute containing inside OFS'
Conclusion: The issue resides on customer side.
 
   Check OFS metadata and compare to the metadata uploaded to IdP 
 
How to check:
1. Login to OFS with the administrative user associated to the 'internal' login policy
2. Navigate to Configuration -> Login policies screen
3. Select the required Login policy for SAML authentication
4. Click 'Download' button under the 'OFS Domain and Metadata' section and check what domain is selected.
Expected results: metadata for the domain selected in Login policy settings is uploaded to IdP
Action:
1. Click the 'Download' button under the 'OFS Domain and Metadata' section
2. Select the correct domain → the application will save the OFS metadata into your  Downloads folder
3. Save Login policy configuration
4. Upload the OFS metadata to your IdP
Conclusion: Customer should add the correct OFS metadata to IdP application managing authentication to OFS.
 
   Check if mobile devices are provided with correct settings 
 
• For those who manage mobile devices via MDM settings
Check if the correct environment URL is populated to mobile devices as a part of MDM settings.
 
For those who created OFS shortcuts on mobile devices
Check if the correct environment URL is populated as a part of XML file created on devices.
 
Expected results: Domain selected in SAML login policy settings is populated on mobile device as a part of MDM settings or OFS shortcut.
Conclusion: The issue might reside on customer side or on OFS side.
Action: Within MDM settings or OFS shortcut, provide the domain selected for SAML integration.
 
   Check if your certificate is not expired 
 
Login to OFS, open the SAML login policy and download attached certificate. Use openssl command to check the certificate expiration date.
 
openssl command
 
Expected results: The certificate is valid and has an expiration date in the future.
Conclusion: The issue resides on customer side.
Action: Renew the certificate and upload it to the SAML login policy configuration.
 
output of openssl command shows valid certificate date
.
 
   Check if signing algorithm from OFS is supported by your IdP 
 
OFS uses SHA256 algorithm for signing of SAML requests.
Expected result: SHA256 is enabled in IdP for the application managing authentication to OFS.
Conclusion: The issue resides on the customer side.
Action: Select SHA256 in IdP for the application supporting authentication to OFS.
 
 
 
If the issue occurs and the troubleshooting steps above did not help, please gather the information listed in the next section and contact Oracle support for assistance.
 
 
What data should be collected for troubleshooting by OFS Support team:
 
• Instance name and instance alias
• OFS instance version
• SAML login policy label
• Authentication initiator : Service Provider (SP) - initiated or Identity Provider (IdP) -initiated
• Application where the issue if reproduced - browser application, Android app, iOS app
• Number of affected users and user logins of affected users
• Domain selected for SAML authentication
• Gather SAML Trace file: FireFox SAML Tracer or Fiddler are good tools to see where the process is failing
• Gather .HAR file by following the steps below:
 
  Chrome 

You can record your HTTP session using the Network tab in the Developer Tools in Chrome.
1. Open Developer Tools from the menu (Menu > Tools > Developer tools), or by pressing Ctrl+Shift+C on your keyboard.
2. Click on the Network tab
3. Click on the round button at the top left of the Network tab to start recording (If it is already red, you are recording).
4. Check the box next to 'Preserve log'.
5. Reproduce the issue
6. Save the session by right-clicking on the grid and choosing "Save as HAR with Content".
7. Upload the HAR file to your SR.
 
  Firefox 

1. Go to the page where you're encountering the problem
2. Start Firefox Developer Tools in Network mode (Top right menu > Web Developer > Network, or ctrl-shift-E)
3. Reproduce the problem
4. Save the session by right-clicking on the execution/collection grid and "Save all as HAR" or click on the start-like icon on the far right side of execution grid and "Save all as HAR"
5. Upload the HAR file to your SR.
 
  Internet Explorer 

1. Open Internet Explorer.
2. In IE, go to the webpage in question.
3. To open Developers Tool, press the F12 key on your keyboard, or you may find the Developers Tool in the menu.
4. In the Developers Tool menu > Network panel and then deselect the Clear entries on navigate option. (Default)
5. Select Start Profiling Session/Start Capture.
6. Refresh the page and allow IE to record the browser-website interaction.
7. Once the page is loaded, click on Export as HAR/Export capture traffic icon and save.
 
  Microsoft Edge 

1. Open the Network tool in F12 developer tools
2. Reproduce the issue
3. Export the session as a HAR (CTRL + S)
4. Upload the HAR file to your SR.
 
 
 

Available Languages for this Answer:

Notify Me
The page will refresh upon submission. Any pending input will be lost.