KB1002

Troubleshooting SAML authentication errors

Summary

SAML (Secure Assertion Markup Language) is a web-based authentication method available for Axiom Cloud Service systems. Users access Axiom Budgeting and Performance Reporting by going to the URL for your cloud service system and authenticating to your organization’s login page. This article outlines some common errors associated with SAML authentication and how to resolve them.

Details

Axiom Support assists with the initial set up of SAML authentication. Once it is in use, the errors listed below may be encountered after adding new users, or if your Information Technology department made changes to your organization’s SAML identity provider.

The following errors may occur after users authenticate to your organization’s login page. If your identity provider has single sign-on (SSO) enabled, it will automatically log users in and then display one of the errors below if an issue occurs:

• Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'
• 500 – Internal Server Error - Message was signed, but signature could not be verified.

Resolution

Issue 1: Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'

1. Determine if the error occurs for all Axiom Budgeting and Performance Reporting users who use SAML authentication, by having multiple users attempt to log in.

   • If all users encounter the error, please contact Axiom Support (support@kaufmanhall.com) for assistance.
   • If the error only occurs for a specific user, continue to step 2 for further troubleshooting.

2. Contact your designated Master System User for Axiom Budgeting and Performance Reporting, and ask them to verify the following for the user who cannot log in:

   • The user exists in Axiom Budgeting and Performance Reporting security as an active user.
   • The user's login name in Axiom Budgeting and Performance Reporting matches the login name for your organization's SAML identity provider.

   • The user's assigned authentication type in Axiom Budgeting and Performance Reporting is SAML.

   Correct any of these settings for the user as needed.

3. Once the user is set up correctly in Axiom Budgeting and Performance Reporting security, instruct the user to close and reopen their web browser, and then navigate to the URL for your Axiom Cloud Service system.

If you are not sure about the expected format of the login name, compare the user's login name in Axiom Budgeting and Performance Reporting to the login names of other users who do not encounter the error. The login name is determined by the identity provider administrator in your Information Technology department, and might use one of the following items of information:

• SamAccountName (login name for Active Directory)
• Email address
• Employee ID number

If you need further assistance determining the appropriate format for the user's login name, please contact your local IT help desk.

Issue 2: 500 – Internal Server Error - Message was signed, but signature could not be verified.

This error occurs if your organization’s identity provider changed their signing certificate and has not provided the new certificate to Axiom Support.

IMPORTANT: Your Information Technology department is responsible for maintaining and renewing the signing certificate for your organization's identity provider. Every time your certificate is renewed, please have your Master System User contact Axiom Support to ensure that the new certificate is validated before it is implemented.

If your Information Technology department has already deployed the new certificate, please contact Axiom Support (support@kaufmanhall.com) and provide the following information:

• IT contact Information
• New signing certificate information, or SAML metadata file with the new certificate information

Once Axiom Support receives and implements the new certificate, they will contact you to verify your ability to log in.

Outcome

Once the relevant issue has been corrected, users can be authenticated to your organization’s login page and then redirected to the Axiom Budgeting and Performance Reporting home page.

See also

• Using SAML authentication
• The Security Management dialog

Article information

Category	Security
Applies To	Axiom Budgeting and Performance Reporting version 8.2 and up
Tags	SAML, 500 Internal Server Error, Authentication
Issue Number(s)	26504