0

Hello all, We have several issues with one of our apps and SAML, not sure if they are all related. I’ve been digging through logs and checking the forum for possible solutions but nothing is standing out as the cause.   In the SAML log and SAML Requests I see, fairly frequently, the following behaviour:  Under SAML Requests: A cross on the request, a tick for response, no Request Id, no principal. A tick on request, a x on Response, no date time, a request ID but no principal It appears to me that on the occassions we get a X, under the SAML Requests Request/Response headers, it’s closely followed by green ticks across the board. It’s almost like it didn’t work first time, but almost instantly afterwards the user was able to login. Under the log: X’s with the message “No request found with id “xxx-xxx-….” The system logs are FULL of messages regarding SAML, with lots of SAML Request/Response: Null (makes sense, it’s what we see in the SAML Requests view). It’s also printing the response when the request is null. This is a big wall of text that is cluttering up the logs. I’ve not seen any of our other apps which have SAML also behave this way. Users are getting a blank page after logging in. This is intermittent, seems to affect people at different times, it’s not always the same people, seeminly can happen to any of the users. The users are greeted by the Okta login page, they enter their credentials, they are re-directed to the correct page, but it’s just blank. The logs will say the login was successfull, the request and response looks valid in the SAML Requests overview. By getting the user to clear their browsers, open in a new browser or open a new Private/Incognito window and trying again, they will not get the blank page. Under the IDP Metadta tab / Name ID Format, we have two values here. One is emailAddress, which is what we are using for the mapping, the second is simply unspecified. The full Name ID Format for this is: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. We have to go to an internal team here that provides us with the metadata file that we import during the SAML configuration. This unspecified value would have been in the metadata file they provided us. I’ve gone through some of our other apps and some have this unspecified name id format, others do not. To me this seems incorrect and a possible cause of the issues?  Is anyone able to shed some light on how this Name ID Format fields work, where they’d be picked up/used and how having two would work?   Sorry for there being so much to go through. Wanted to provide as much information as possible to try and resolve the problems we are facing and to get a better understanding of SAML integration. Thanks! Rich

asked 2022-06-28

1 answers