KB1002

Troubleshooting SAML authentication errors

Summary

SAML (Secure Assertion Markup Language) is a web-based authentication method available for Axiom Cloud Service systems. Users access Axiom Financial Planning by going to the URL for your cloud service system and authenticating to your organization’s login page. This article outlines some common errors associated with SAML authentication and how to resolve them.

Details

Axiom Support assists with the initial set up of SAML authentication. Once it is in use, the errors listed below may be encountered after adding new users, or if your Information Technology department made changes to your organization’s SAML identity provider.

The following errors may occur after users authenticate to your organization’s login page. If your identity provider has single sign-on (SSO) enabled, it will automatically log users in and then display one of the errors below if an issue occurs:

  • Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'
  • 500 – Internal Server Error - Message was signed, but signature could not be verified.

Resolution

Issue 1: Sorry, could not create a session - 'The username could not be obtained from the configured server variable.'

  1. Determine if the error occurs for all Axiom Financial Planning users who use SAML authentication, by having multiple users attempt to log in.

    • If all users encounter the error, please contact Axiom Support (support@kaufmanhall.com) for assistance.
    • If the error only occurs for a specific user, continue to step 2 for further troubleshooting.

  2. Contact your designated Master System User for Axiom Financial Planning, and ask them to verify the following for the user who cannot log in:

    • The user exists in Axiom Financial Planning security as an active user.
    • The user's login name in Axiom Financial Planning matches the login name for your organization's SAML identity provider.

    • The user's assigned authentication type in Axiom Financial Planning is SAML.

    Correct any of these settings for the user as needed.

  3. Once the user is set up correctly in Axiom Financial Planning security, instruct the user to close and reopen their web browser, and then navigate to the URL for your Axiom Cloud Service system.

If you are not sure about the expected format of the login name, compare the user's login name in Axiom Financial Planning to the login names of other users who do not encounter the error. The login name is determined by the identity provider administrator in your Information Technology department, and might use one of the following items of information:

  • SamAccountName (login name for Active Directory)
  • Email address
  • Employee ID number

If you need further assistance determining the appropriate format for the user's login name, please contact your local IT help desk.

Issue 2: 500 – Internal Server Error - Message was signed, but signature could not be verified.

This error occurs if your organization’s identity provider changed their signing certificate and has not provided the new certificate to Axiom Support.

IMPORTANT: Your Information Technology department is responsible for maintaining and renewing the signing certificate for your organization's identity provider. Every time your certificate is renewed, please have your Master System User contact Axiom Support to ensure that the new certificate is validated before it is implemented.

If your Information Technology department has already deployed the new certificate, please contact Axiom Support (support@kaufmanhall.com) and provide the following information:

  • IT contact Information
  • New signing certificate information, or SAML metadata file with the new certificate information

Once Axiom Support receives and implements the new certificate, they will contact you to verify your ability to log in.

Outcome

Once the relevant issue has been corrected, users can be authenticated to your organization’s login page and then redirected to the Axiom Financial Planning home page.

See also

Article information

Category

Security

Applies To

Axiom Financial Planning version 8.2 and up

Tags

SAML, 500 Internal Server Error, Authentication

Issue Number(s)

26504