Common IDP Misconfigurations

Tenable Vulnerability Management FedRAMP SAML/SSO is IDP initiated. As such, the most common errors are due to IDP misconfiguration. Often, the issue is a minor error such as a typo on an Entity ID. Other times, errors can be more complicated, like the misconfiguration of a transform rule preventing successful SAML authentication.

Note: FedRAMP Splunk includes an error tracker that provides helpful context for errors. If the initial troubleshooting in this guide does not fix the error, contact a FedRAMP Splunk support representative. Tenable Support can also examine errors to provide further insight for troubleshooting efforts.

The following are some of the most common IDP misconfiguration errors:

  • “incorrectly signed, or missing field”

    • This error typically indicates something is wrong with the certificate/s in the idp.xml file. Since Tenable Vulnerability Management currently only uses the top certificate in the file, this error could indicate your XML certificates are out of order. Identify the primary certificate with the customer. Usually, you can mitigate this error by manually selecting the correct certificate within Tenable Vulnerability Management.

    • Alternatively, the certificate may be expired. Inspect the file and make sure it does not include any expired certificates.

  • “This Username does not exist.”

    • Verify the following:

      1. The NameID

      2. The transform claim rule for the incoming claim is set to Email

      3. The outgoing claim type is configured to NameID

    • The signature may be showing as not validated in Splunk. Work with Tenable Support to use the correct certificate.

  • “{"error":"SAML login attempt failed."}”

    • The container has likely expired. Contact Tenable Support to review the Splunk logs for supporting information.

    • If the error includes the following warning:

      WARN [2022-xxxxx 13:38:06,520][dw-38 - POST /saml/login/xxxxxxxxxxx][X-Request-Uuid=xxxxxxxxxxxx][c.t.c.w.m.manager.UserManager] id-269: user-locate: Could not find a user: CacheLoader returned null for key (usernamexxxxxxxx)

      Their IDP.xml file is passing what appears to be just {lastname}{firstname_firsttwo} instead of {lastname}{firstname_firsttwo}@{domain}. The customer must adjust their claim and/or transform rules accordingly.

  • “{"error":"SAML login attempt failed - the SAML IdP configuration was found, but no username could be extracted from the SAML message (could be incorrectly signed, or missing a field)."}”

    • The following error in FedRAMP Splunk indicates SAML was not configured when the user attempted to log in with their username and password.

      User[[email protected]] is not permitted to authenticate with a password

  • “SAML validation failed against container xxxxxx-xxxxxxxxxx- org.opensaml.xml.validation. ValidationException: Assertion audience does not include issuer”

    • The problem is with the customer SAML assertion configuration. In the IDP.xml file, check Audience URI or SP Entity ID parameters. Additionally, verify the NameID parameter is in the correct format.

  • Customers that have multiple Tenable Vulnerability Management FedRAMP containers or a customer that has a commercial Tenable Vulnerability Management container already configured for use with SAML could also encounter an error where the IDP is unable to support multiple instances of the same Entity ID. If the parameter is listed as anything other than NessusCloud, Tenable Support must be notified during the initial request of the FedRAMP container; they can provide sp.xml file to send back to the customer with the appropriate information.