Troubleshooting
SAML Gateway
Debug logging can be enabled on the Logging tab of the administrative console accessible via a web browser at <SAML gateway>/saml/web/logging
.
Common Issues
Issue: When generating new metadata, the drop-downs for the "Signing key" and "Encryption key" fields are blank.
Resolution: Verify that the keystore alias for the encryption key was created using lowercase letters and that the default keystore values in saml.properties
have been changed to reflect the keystore being used.
Issue: Lawtrac log-in fails with the following exception in the SAML Gateway log:
"org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity <name> and role {urn:oasis:names:lt:SAML:2.0:metadata}SPSSODescriptor wasn't found."
Resolution: Verify that the value of sp.entityID
in saml.properties
matches the entity ID of the Service Provider.
Issue: Lawtrac log-in fails with the following exception in the SAML Gateway log:
"ArtifactResolutionProfileBase.resolveArtifact | Could not decode artifact response message. org.opensaml.ws.message.decoder.MessageDecodingException: Error when sending request to artifact resolution service.
Caused by: javax.net.ssl.SSLHandshakeException: org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate."
Resolution: Check the certificate details in the log file. If the exception is for the IdP domain, import the root certificate for the IdP domain into the SAML Gateway application's keystore. The IdP URL is defined in idp.xml
in the WEB-INF/classes/metadata
folder of the application.
Issue: Single Sign On (SSO) works correctly until a user uses the SSO Bypass page if the bypassed users does not log out first.
However, Lawtrac will not re-authenitcate with the SSO Service if the bypassed user does not log out and the SSO user attempts to log in by navigating to the Lawtrac URL.
Resolution: If a user logs in using the bypass feature, they must log out when done.