Troubleshooting and Common Errors

Common IdP Misconfigurations

• Tenable SAML is IdP-initiated. As such, the most common errors are due to IdP misconfiguration. The most common errors are an incorrect Entity ID or attempting to log in with a username that is not in the correct format ([email protected]).

• If user auto provisioning is disabled, ensure the user already exists in the container where the SAML configuration was created.

• Ensure that the certificate setup in the IdP configuration matches the certificate in the SP (Tenable application SAML) configuration, otherwise, the SP (Tenable application) rejects authentication.

• If there are multiple SAML configurations for the same container, ensure the correct SP metadata is uploaded to the correct/matching IdP configuration that the IdP metadata was originally provided from.

• The Tenable platform creates users at the exact moment of their first successful SAML login. They are not pre-populated by group assignment in the IdP. During the initial provisioning login, the platform prioritizes identity creation, which often results in the assignment of a default baseline role. Tenable does not fully process the userRoleUuid claim mapping until the user logs out and logs in a second time.

Error Messaging

The following are some of the most common IDP misconfiguration errors:

• “incorrectly signed, or missing field”

  This error typically indicates something is wrong with the certificate/s in the idp.xml file. Since Tenable currently only uses the top certificate in the file, this error could indicate your XML certificates are out of order. Identify the primary certificate with the customer. Usually, you can mitigate this error by manually selecting the correct certificate within the Tenable product.

  Alternatively, the certificate may be expired. Inspect the file and make sure it does not include any expired certificates.

• “This Username does not exist.”

  Verify the following:

  • The NameID

  • The transform claim rule for the incoming claim is set to Email

  • The outgoing claim type is configured to NameID

  The signature may be showing as not validated in Splunk. Work with Tenable Support to use the correct certificate.

• {"statusCode":401,"error":"Unauthorized","message":"Missing authentication"}

  This error is usually caused because the user is not a part of the correct group configured within their IdP. Review the instructions for your IdP and ensure that the appropriate users and groups are created within your IdP so they can be linked to your Tenable application.

• “{"error":"SAML login attempt failed."}”

  The container has likely expired. Contact Tenable Support to review the Splunk logs for supporting information.

  If the error includes the following warning:

  WARN [2022-xxxxx 13:38:06,520][dw-38 - POST /saml/login/xxxxxxxxxxx][X-Request-Uuid=xxxxxxxxxxxx][c.t.c.w.m.manager.UserManager] id-269: user-locate: Could not find a user: CacheLoader returned null for key (usernamexxxxxxxx)

  Their IDP.xml file is passing what appears to be just {lastname}{firstname_firsttwo} instead of {lastname}{firstname_firsttwo}@{domain}. The customer must adjust their claim and/or transform rules accordingly.

• “{"error":"SAML login attempt failed - the SAML IdP configuration was found, but no username could be extracted from the SAML message (could be incorrectly signed, or missing a field)."}”

  The following error in Splunk indicates SAML was not configured when the user attempted to log in with their username and password.

  User[[email protected]] is not permitted to authenticate with a password

• “SAML validation failed against container xxxxxx-xxxxxxxxxx- org.opensaml.xml.validation. ValidationException: Assertion audience does not include issuer”

  The problem is with the customer SAML assertion configuration. In the IDP.xml file, check the Audience URI or SP Entity ID parameters. Additionally, verify the NameID parameter is in the correct format.