Troubleshooting SAML connections
There are some common issues and errors that can occur when connecting a SAML identity provider to PE, such as failed redirects, rejected communications, and failed group binding.
Failed redirects
Redirects fail (with a 404 error code) when there are mismatched URLs between PE and the identity provider. Depending on where the redirect occurs, there are two possible ways to fix this:
- If the redirect fails when going from the identity provider to PE, fix the mismatched URLs in your identity provider's SAML configuration.
- If the redirect fails when going from PE to the identity provider, fix the mismatched URLs in your PE SAML configuration.
Rejected communication requests
If PE or the identity provider rejects communications
or returns an error, check the console-services.log
file (located at /var/log/puppetlabs/console-services/console-services.log
) for details
about the communication failure.
Usually, this means there are mismatched certificates for PE and the identity provider, and that you need to reconfigure the certificates.
Failed user-group binding
If users aren't binding to their assigned groups, or if user permissions are missing, make sure:
- There isn't a mismatch in attribute bindings. Check the attribute binding
values in your identity provider and PE SAML
configurations.If unknown attributes appear in output logs at the debug level, this can be an indication of mismatched attribute bindings.
- The group export is incorrect in your identity provider's configuration.