Skip to main content

About SAML (Security Assertion Markup Language) single sign-on

👉 Drag me

If you enable SSO but then can't log in using SSO, you can use the local login to regain access. This is only available to users with the Tenant admin user role. See our knowledge base article, Rescue URL for tenant administrators.

If you use SAML to authenticate and authorize users, you can add the identity provider (IdP) URL and upload the required certificates and keys.

Troubleshooting

Applaud does not require signing, encryption, or decryption of SAML requests and responses. However, Applaud supports these options if you configure them correctly in your IdP.

The following errors may occur if your IdP is not configured correctly:

Invalid signature

  • Cause: The SAML assertion signature is not configured properly.
  • Fix: In your IdP, make sure at least one of the response or assertion signatures is set to Signed. Alternatively, disable signature verification.

Invalid signature from encrypted assertion

  • Cause: The wrong certificate is used to verify the SAML assertion signature.
  • Fix: Use the certificate provided by your IdP, typically an X.509 certificate.

No decryption key for the encrypted SAML response

  • Cause: The decryption key is missing for an encrypted response.
  • Fix: Use the correct private key that matches the certificate used by your IdP to encrypt the response.

Example IdP encryption setup:

  • Assertion encryption: "Encrypted"
  • Encryption certificate: server.crt (CN=O=Internet Widgits Pty Ltd, ST=Some-State, C=IN)
  • Encryption algorithm: "AES128_CBC"
  • Key transport algorithm: "RSA_15"

In this case, the public certificate server.crt is uploaded in the IdP to encrypt the response. You must use the corresponding private key to decrypt it.

The encryption block is invalid

  • Cause: A mismatched or incorrect certificate is used for decryption, or the encrypted block was modified.
  • Fix: Make sure you use the correct private key. If the issue persists, check that the response was not altered.

Azure error – AADSTS75011

  • Cause: Azure AD SSO is configured with the optional value RequestedAuthnContext.
  • Fix: Remove this optional value by clearing the corresponding option in the Settings page of your Applaud platform. Read more about this error in Microsoft's help article, Authentication method mismatch.

Tasks you can perform here:

Reference:

Was this article helpful?

Help us improve our documentation

0 out of 0 found this helpful