Question

SAML_SSO fails in production environment

0

After running the SAML procedure in the acceptance environment everything was fine. Now we try to do the same in the production environment but can’t get it to work. The given error in the log is that the SAML hasn’t been correctly initialized; But looking at the settings everything is the same (except for the Production instead of QA items of course). Can someone explain me what part they mean by the SAML handler, and where there could be something differentiating from the acceptance environment. Best Regards, Arnold

asked 2022-01-28

Arnold de Kort

5 answers

Nirmalkumar Thandavamoorthy · Answer 1 · 2022-01-28

Have you configured SAMLConfiguration_Overview to be shown some where in your application.

If yes, please take a look at the details of the error there.

The Metadata is null or empty or not configured. Probably there are some configuration issues with your Metadata.

Try to re-create the meta data in production, export the metadata and hand it over to the IDP, so they can add the meta data in their production version too. You cannot simply use the same metadata from acceptance.

UPDATE

LoginHandler.java

IdpMetadata idpMetadata = context.getIdpMetadata();
		if( idpMetadata == null )
			throw new SAMLException("SAML hasn't been correctly initialize. Please restart the SAML handler.");

Conner Charlebois · Answer 2 · 2022-01-28

Hi Arnold,

Have you added the startup flow appropriately?

I would also have a look at the debugging steps here: https://docs.mendix.com/appstore/modules/saml#5-debugging-the-configuration. Begin by turning the logging up to TRACE for the SAML_SSO node, and see what else is shown in your logfile. There are many things that can be configured differently between environments.

Arnold de Kort · Answer 3 · 2022-01-28

The metadata appears to be okay as far as my knowledge reaches;

Ronald Catersels · Answer 4 · 2022-01-28

For firefox there is a plugin SAML tracer. You can use that to check all the SAML traffic. And do set the lognode on your production environment to trace so you get the elaborate logs instead of the less descriptive ones. And the problem is in the SAML response. So you need to download the response to the request and inspect that one. So check the SAML requests.

Regards,

Ronald

Arnold de Kort · Answer 5 · 2022-02-02

Thanks all for the response.

Eventually I have found a colleague who figured out that the MyID account was set properly, but not activated.

That’s why the SAML responses where empty.

Regards, Arnold