Troubleshooting SAML Authentication
Warning
SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.
On this page
You may encounter problems with the SAML 2.
-
SAML assertion errors
-
Encryption or signing errors
SAML Assertion Errors
You may encounter errors if your SAML response isn’t properly formed, or if there is a configuration mismatch between the memsql.
-
The SAML Assertion did not have a valid saml_
user_ name_ attribute Attribute -
The SAML Response did not have any Assertions
-
Assertion is no longer valid
-
Assertion is not yet valid
-
Assertion contains an unacceptable AudienceRestriction
The SAML Assertion did not have a valid saml_ user_ name_ attribute Attribute
This error is often caused by a configuration mismatch.saml_
in the memsql.AttributeStatement
found in your identity provider’s SAML response.
Consider the following example, which will cause an error:
...
saml_user_name_attribute = username
...
...
<saml:AttributeStatement>
<saml:Attribute Name="userID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">johndoe</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
...
In the examples above, the memsql.username
, but the SAML response has an attribute named userID
.userID
instead of username
.
The SAML Response did not have any Assertions
If your SAML response does not contain any assertions about a subject, this error will appear.
Assertion is no longer valid
If a SAML assertion contains a <saml:Conditions>
element with a NotOnOrAfter
attribute that is set to a time in the past, the assertion is invalid.
Assertion is not yet valid
If a SAML assertion contains a <saml:Conditions>
element with a NotBefore
attribute that is set to a time in the future, the assertion is invalid until the future date.
Assertion contains an unacceptable AudienceRestriction
If a SAML assertion contains an <saml:AudienceRestriction>
element, the specified audience must match the saml_
engine variable’s value in memsql.
Consider the following example, which will cause an error:
...
saml_assertion_audience = https://memsql.com
...
...
<saml:AudienceRestriction>
<saml:Audience>https://my.example.com/service/</saml:Audience>
<saml:Audience>https://my.otherexample.com/service/</saml:Audience>
</saml:AudienceRestriction>
...
In the examples above, the memsql.https://memsql.
, but the SAML response does not have that audience listed.
Encryption or Signing Errors
You may encounter errors if there are any misconfigured or nonexistent keys when a SAML response is processed, especially if it contains encrypted elements.
-
Digital signature does not validate with the supplied key
-
Unable to decrypt EncryptedKey element
-
Unable to decrypt EncryptedData element
Digital signature does not validate with the supplied key
If a SAML response is digitally signed using an identity provider’s private key, it must be validated using the paired public key.saml_
variable.
Unable to decrypt EncryptedKey element
Since asymmetric encryption is often inefficient for encrypting large amounts of data, it is standard for a SAML identity provider to encrypt SAML responses with a new symmetric key that it generates for each response.
If a EncryptedKey element is encrypted using by the identity provider using a supplied public key, it must be decrypted using the paired private key.saml_
variable.
Last modified: April 24, 2021