Troubleshooting SSO Issues
If you encounter an issue while configuring SSO (SAML) integration, our Support Team will need the following information in order to assist you and understand the issue better.
- Screenshots of the SSO configurations
- SAML request and response
- A trace log
Once you have gathered this information, submit ticket through our Help Center.
Take Screenshots of the SSO Configurations
Take a screenshot of the Single Sign-On window in Invicti Enterprise (available from the Settings menu), and another screenshot which shows the configuration on the IdP side.
Capture the SAML Request and Response in the Browser
Install one of these addons or extensions, then try logging in to Invicti again with SSO.
- For Firefox, SAML-tracer https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/reviews/
- For Chrome, SAML Chrome Panel https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
Save all the captured requests and responses.
Generate a Trace Log on the Invicti Enterprise WebApp
These are the steps required to generate a trace log.
Configure SAML Trace
Update your application’s web.config file to include a <system.diagnostics>&;section as shown in the sample configuration below.
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add name="TextWriter"/>
</listeners>
</trace>
<sources>
<source name="ComponentSpace.SAML2" switchValue="Verbose">
<listeners>
<add name="TextWriter"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="TextWriter"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="c:\temp\logs\SAML\idp.log"/>
</sharedListeners>
</system.diagnostics>
Create a Log Directory
Ensure that the directory (configured with the initializeData parameter above) where the log file will be written exists. In this example, the directory c:\temp\logs\SAML must exist in order for the idp.log file to be created. Any valid directory path may be specified.
Any log file name may be specified. However, conventionally, idp.log is used when the application is acting as an identity provider, whereas sp.log is used when the application is acting as a service provider.
Set File Permissions
The user account running the web application must have Write permission for the log directory. In the screenshot above, the IIS_USERS group has been given Write permission for the c:\temp\logs\SAML directory.
Alternatively, in a development environment, you may give the Everyone group Write permission for the directory. This should not be done in a production environment.
Confirm the SAML Trace is Enabled
If the SAML trace is correctly configured, the log file should contain entries similar to the example below. The first entry indicates the Version and license type.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: ComponentSpace.SAML2, Version=2.5.0.12, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9 (retail license).
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the SAML configuration file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\saml.config.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The local identity provider is urn:componentspace:ExampleIdentityProvider.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:componentspace:ExampleServiceProvider has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:componentspace:MvcExampleServiceProvider has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider http://adfs.test/adfs/services/trust has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:federation:MicrosoftOnline has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider google.com has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider https://saml.salesforce.com has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider https://sp.testshib.org/shibboleth-sp has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\idp.pfx.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.idp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\sp.cer.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.sp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\sp.cer.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.sp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: SAML configuration changes in the directory C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider are being monitored.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The SAML configuration has been successfully loaded.