KB1002

Troubleshooting SAML authentication errors

Summary

SAML (Secure Assertion Markup Language) is a web-based authentication method available for Axiom Cloud Service systems. Users access Axiom Software by going to the URL for your cloud service system and authenticating to your organization’s login page. This article outlines some common errors associated with SAML authentication and how to resolve them.

Details

Kaufman Hall Software Support assists with the initial set up of SAML authentication. Once it is in use, the errors listed below may be encountered after adding new users, or if your Information Technology department made changes to your organization’s SAML identity provider.

The following errors may occur after users authenticate to your organization’s login page. If your identity provider has single sign-on (SSO) enabled, it will automatically log users in and then display one of the errors below if an issue occurs:

  • Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'
  • 500 – Internal Server Error - Message was signed, but signature could not be verified.

Resolution

Issue 1: Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'

  1. Determine if the error occurs for all Axiom Software users who use SAML authentication, by having multiple users attempt to log in.

    • If all users encounter the error, please contact Kaufman Hall Software Support (support@kaufmanhall.com) for assistance.
    • If the error only occurs for a specific user, continue to step 2 for further troubleshooting.

  2. Contact your designated Master System User for Axiom Software, and ask them to verify the following for the user who cannot log in:

    • The user exists in Axiom Software security as an active user.
    • The user's login name in Axiom Software matches the login name for your organization's SAML identity provider.

    • The user's assigned authentication type in Axiom Software is SAML.

    Correct any of these settings for the user as needed.

  3. Once the user is set up correctly in Axiom Software security, instruct the user to close and reopen their web browser, and then navigate to the URL for your Axiom Cloud Service system.

If you are not sure about the expected format of the login name, compare the user's login name in Axiom Software to the login names of other users who do not encounter the error. The login name is determined by the identity provider administrator in your Information Technology department, and might use one of the following items of information:

  • SamAccountName (login name for Active Directory)
  • Email address
  • Employee ID number

If you need further assistance determining the appropriate format for the user's login name, please contact your local IT help desk.

Issue 2: 500 – Internal Server Error - Message was signed, but signature could not be verified.

This error occurs if your organization’s identity provider changed their signing certificate and has not provided the new certificate to Kaufman Hall Software Support.

IMPORTANT: Your Information Technology department is responsible for maintaining and renewing the signing certificate for your organization's identity provider. Every time your certificate is renewed, please have your Master System User contact Kaufman Hall Software Support to ensure that the new certificate is validated before it is implemented.

If your Information Technology department has already deployed the new certificate, please contact Kaufman Hall Software Support (support@kaufmanhall.com) and provide the following information:

  • IT contact Information
  • New signing certificate information, or SAML metadata file with the new certificate information

Once Kaufman Hall Software Support receives and implements the new certificate, they will contact you to verify your ability to log in.

Outcome

Once the relevant issue has been corrected, users can be authenticated to your organization’s login page and then redirected to the Axiom Software home page.

See also

Article information

Category

Security

Applies To

Axiom Software version 8.2 and up

Tags

SAML, 500 Internal Server Error, Authentication

Issue Number(s)

26504