Troubleshooting SAML Authentication

The SAML Assertion did not have a valid saml_user_name_attribute Attribute

This error is often caused by a configuration mismatch. Ensure that your saml_user_name_attribute in the memsql.cnf file has been properly configured to identify the correct username AttributeStatement found in your identity provider’s SAML response.

Consider the following example, which will cause an error:

...
saml_user_name_attribute = username
...

...
<saml:AttributeStatement>
  <saml:Attribute Name="userID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">johndoe</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
...

In the examples above, the memsql.cnf file is configured to look for an attribute named username, but the SAML response has an attribute named userID. This configuration mismatch will result in errors, but can be easily resolved by updating the memsql.cnf file with userID instead of username.

The SAML Response did not have any Assertions

If your SAML response does not contain any assertions about a subject, this error will appear. Ensure that the identity provider is returning a valid SAML response that contains assertions about the authenticated user.

Assertion is no longer valid

If a SAML assertion contains a <saml:Conditions> element with a NotOnOrAfter attribute that is set to a time in the past, the assertion is invalid. If the SAML response originated from a trusted source, it is likely being delayed excessively during transport.

Assertion is not yet valid

If a SAML assertion contains a <saml:Conditions> element with a NotBefore attribute that is set to a time in the future, the assertion is invalid until the future date. If the SAML response originated from a trusted source, the identity provider could have an incorrect system time setting.

Assertion contains an unacceptable AudienceRestriction

If a SAML assertion contains an <saml:AudienceRestriction> element, the specified audience must match the saml_assertion_audience engine variable’s value in memsql.cnf. If the audiences do not match, the assertion is invalid.

Consider the following example, which will cause an error:

...
saml_assertion_audience = https://memsql.com
...

...
<saml:AudienceRestriction>
  <saml:Audience>https://my.example.com/service/</saml:Audience>
  <saml:Audience>https://my.otherexample.com/service/</saml:Audience>
</saml:AudienceRestriction>
...

In the examples above, the memsql.cnf file is configured to look for an audience named https://memsql.com, but the SAML response does not have that audience listed. This configuration mismatch will result in errors.

Digital signature does not validate with the supplied key

If a SAML response is digitally signed using an identity provider’s private key, it must be validated using the paired public key. This public key’s file path is specified in the memsql.cnf file for the saml_x509_certificate variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.

Unable to decrypt EncryptedKey element

Since asymmetric encryption is often inefficient for encrypting large amounts of data, it is standard for a SAML identity provider to encrypt SAML responses with a new symmetric key that it generates for each response. The SAML identity provider then encrypts the symmetric key using a supplied public key, and adds the result to the SAML response as an EncryptedKey element.

If a EncryptedKey element is encrypted using by the identity provider using a supplied public key, it must be decrypted using the paired private key. This public key’s file path is specified in the memsql.cnf file for the saml_private_decryption_key variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.