Troubleshooting and Common Errors

General Troubleshooting

Ensure the IdP information includes the following:

  • SSO URL/Login URL/Reply URL: The URL provided by Tenable (for example, https://cloud.tenable.com/saml/login/xxxxxxxxxxxxxxxxxxxxx)

  • Recipient URL = The recipient URL provided by Tenable (as listed above)

  • Destination URL = The destination URL provided by Tenable (as listed above)

  • Audience Restriction (Entity ID) = A unique ID per SAML configuration.

  • Check if the NameID parameter is set to Unspecified. Sometimes this works initially because the default was “user.email”, but in some cases may need to be reconfigured:

    • Choose the NameID format and the application username sent to your application in the SAML response (for example EmailAddress and Email)

    • In the Attribute Statements (optional) section, type the SAML attributes to be shared with your application. For example:

      • Name (in SAML application) Value (in Idp profile)

      • FirstName user.firstName

      • LastName user.lastName

      • Email user.email (edited)

Common IdP Misconfigurations

Reminder: Tenable does not support SP-Initiated SAML flow.

  • Tenable SAML is IdP-initiated. As such, the most common errors are due to IdP misconfiguration. The most common errors are an incorrect Entity ID or attempting to log in with a username that is not in the correct format ([email protected]).

  • If user auto provisioning is disabled, ensure the user already exists in the container where the SAML configuration was created.

  • Ensure that the certificate setup in the IdP configuration matches the certificate in the SP (Tenable application SAML) configuration, otherwise, the SP (Tenable application) rejects authentication.

  • If there are multiple SAML configurations for the same container, ensure the correct SP metadata is uploaded to the correct/matching IdP configuration that the IdP metadata was originally provided from.

Error Messaging

The following are some of the most common IDP misconfiguration errors:

This error typically indicates something is wrong with the certificate/s in the idp.xml file. Since Tenable currently only uses the top certificate in the file, this error could indicate your XML certificates are out of order. Identify the primary certificate with the customer. Usually, you can mitigate this error by manually selecting the correct certificate within the Tenable product.

Alternatively, the certificate may be expired. Inspect the file and make sure it does not include any expired certificates.

Verify the following:

  • The NameID

  • The transform claim rule for the incoming claim is set to Email

  • The outgoing claim type is configured to NameID

The signature may be showing as not validated in Splunk. Work with Tenable Support to use the correct certificate.

This error is usually caused because the user is not a part of the correct group configured within their IdP. Review the instructions for your IdP and ensure that the appropriate users and groups are created within your IdP so they can be linked to your Tenable application.

The container has likely expired. Contact Tenable Support to review the Splunk logs for supporting information.

If the error includes the following warning:

WARN [2022-xxxxx 13:38:06,520][dw-38 - POST /saml/login/xxxxxxxxxxx][X-Request-Uuid=xxxxxxxxxxxx][c.t.c.w.m.manager.UserManager] id-269: user-locate: Could not find a user: CacheLoader returned null for key (usernamexxxxxxxx)

Their IDP.xml file is passing what appears to be just {lastname}{firstname_firsttwo} instead of {lastname}{firstname_firsttwo}@{domain}. The customer must adjust their claim and/or transform rules accordingly.

The following error in Splunk indicates SAML was not configured when the user attempted to log in with their username and password.

User[[email protected]] is not permitted to authenticate with a password

The problem is with the customer SAML assertion configuration. In the IDP.xml file, check the Audience URI or SP Entity ID parameters. Additionally, verify the NameID parameter is in the correct format.

Example: Manually Verify a SAML Payload

The following code block is an example of a payload that could be used to manually verify a payload from any IdP.

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxb5fecfdb-d5fa-15d3-b5ad-11b536934de7" Version="2.0" IssueInstant="2024-07-18T18:24:35Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/b9eb8883-9b3e-46c9-9a45-5f7416126842</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfxb5fecfdb-d5fa-15d3-b5ad-11b536934de7"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8V8eFYjAL6l41w9JYDINVsr4AZo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID3...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx1f4d6d80-506e-e027-c18c-5e85ac6d924d" IssueInstant="2024-07-18T18:24:35Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/b9eb8883-9b3e-46c9-9a45-5f7416126842</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx1f4d6d80-506e-e027-c18c-5e85ac6d924d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>clPz/vMiLfFvQZE1E3fmgVO68DA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>U1glVB...</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID3DCCA...</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2024-07-18T18:27:35Z" Recipient=""/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2024-07-18T18:21:35Z" NotOnOrAfter="2024-07-18T18:27:35Z"><saml:AudienceRestriction><saml:Audience>TENABLE_IO_e0eafdb2-e306-4ce7-b87d-c17f760cb717</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-07-18T18:24:34Z" SessionNotOnOrAfter="2024-07-19T18:24:35Z" SessionIndex="_2e134fe6-aa86-49c7-9eb1-0d29a683ed1c"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOME_AD_GROUP</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

Important! The attribute name, groups, and its value, must match the group name you set within your application. For reference, see the following snippet from the above code block:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GROUP_NAME</saml:AttributeValue></saml:Attribute>