Troubleshooting common SAML issues
This guide outlines steps to troubleshoot common issues you may encounter with SAML authentication in Google SecOps SOAR. Here are some common SAML authentication errors and their solutions:
Error 1: Application not found in directory
Message: AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/api/auth/saml/metadata' was not found in the directory 'xxx'.
Explanation: There's a mismatch between the configuration in Azure AD (Basic SAML) and Google SecOps SOAR.
Fix: Make sure you are using the Application ID from Azure AD in the Application Client ID** field in Google SecOps SOAR.
Error 2: Invalid value for saml:AuthnContextDeclRef
Message: Microsoft.IdentityModel.Tokens.Saml2.Saml2Security TokenReadException: IDX13102: Exception thrown while reading 'System.String' for Saml2SecurityToken. Inner exception: System.ArgumentException.
Explanation: This error indicates an invalid value for
saml:AuthnContextDeclRef
in the SAML response.
Fix: Check your HAR file for this element. If the IdP (Identity Provider)
is supplying an invalid value, the easiest solution is to configure the IdP to
stop sending AuthnContextDeclRef
entirely. This option may be available in
your IdP configuration settings.
Error 3: System.ArgumentException: 'System.String' must be an absolute URI
Message: /ds:Signature>saml:Subject
Explanation: This error relates to the format of the NameID
element in the
SAML response. Google SecOps SOAR expects a specific format
for user identification.
Fix: Set the DefaultNameIDFormat
parameter in your SAML configuration
to one of the following options:
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (**most common**)
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Error 4: User attributes not found and LoginIdentifier
field is required
Message: Google Cloud logs Server error Login error for user _xxxxxxxxxxxxxxxxxxxxx. User attributes were not found for creating new followed by Error: register : The LoginIdentifier field is required.
Explanation: This error occurs when Just-In-Time (JIT) provisioning is
enabled in Google SecOps SOAR. The system attempts to locate a
user based on the NameIdentifier
received from the IdP, but it doesn't match
any existing login IDs in SOAR.
Fix: The IdP needs to be configured to send a value that matches the LoginID field in Google SecOps SOAR user management (Settings > User Management). This value might be the user's email address or another unique identifier.
Error 5: User type mismatch
Message: Login error for user user@user.com. User type (Internal) does not match to this type of authentication (External).
Explanation: This error indicates an existing user with the same username (LoginID) configured as Internal in Google SecOps SOAR. SAML authentication in Google SecOps SOAR can only be used with dedicated External users.
Fix: Change the user type of the existing user with the conflicting username to External to match the SAML authentication method.
Error 6: Redirect Loop
If your instance is configured for automatic redirection to the IdP login page, and you encounter a continuous redirect loop, you can temporarily disable auto-redirection by appending the following text to your instance hostname:
/#/login?autoExternalLogin=false