Troubleshooting common SAML issues

Supported in:

This guide outlines steps to troubleshoot common issues you may encounter with SAML authentication in Google SecOps SOAR. Here are some common SAML authentication errors and their solutions:

Error 1: Application not found in directory

Message: AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/api/auth/saml/metadata' was not found in the directory 'xxx'.

Explanation: There's a mismatch between the configuration in Azure AD (Basic SAML) and Google SecOps SOAR.

Fix: Make sure you are using the Application ID from Azure AD in the Application Client ID** field in Google SecOps SOAR.

Error 2: Invalid value for saml:AuthnContextDeclRef

Message: Microsoft.IdentityModel.Tokens.Saml2.Saml2Security TokenReadException: IDX13102: Exception thrown while reading 'System.String' for Saml2SecurityToken. Inner exception: System.ArgumentException.

Explanation: This error indicates an invalid value for saml:AuthnContextDeclRef in the SAML response.

Fix: Check your HAR file for this element. If the IdP (Identity Provider) is supplying an invalid value, the easiest solution is to configure the IdP to stop sending AuthnContextDeclRef entirely. This option may be available in your IdP configuration settings.

Error 3: System.ArgumentException: 'System.String' must be an absolute URI

Message: /ds:Signature>saml:Subject/saml:NameID

Explanation: This error relates to the format of the NameID element in the SAML response. Google SecOps SOAR expects a specific format for user identification.

Fix: Set the DefaultNameIDFormat parameter in your SAML configuration to one of the following options:

- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (**most common**)
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Error 4: User attributes not found and LoginIdentifier field is required

Message: Google Cloud logs Server error Login error for user _xxxxxxxxxxxxxxxxxxxxx. User attributes were not found for creating new followed by Error: register : The LoginIdentifier field is required.

Explanation: This error occurs when Just-In-Time (JIT) provisioning is enabled in Google SecOps SOAR. The system attempts to locate a user based on the NameIdentifier received from the IdP, but it doesn't match any existing login IDs in SOAR.

Fix: The IdP needs to be configured to send a value that matches the LoginID field in Google SecOps SOAR user management (Settings > User Management). This value might be the user's email address or another unique identifier.

Error 5: User type mismatch

Message: Login error for user user@user.com. User type (Internal) does not match to this type of authentication (External).

Explanation: This error indicates an existing user with the same username (LoginID) configured as Internal in Google SecOps SOAR. SAML authentication in Google SecOps SOAR can only be used with dedicated External users.

Fix: Change the user type of the existing user with the conflicting username to External to match the SAML authentication method.

Error 6: Redirect Loop

If your instance is configured for automatic redirection to the IdP login page, and you encounter a continuous redirect loop, you can temporarily disable auto-redirection by appending the following text to your instance hostname:

/#/login?autoExternalLogin=false