| |
| #1
|
Client faces the error message “For security reasons, the session has expired. Please relaunch the link.” |
| Solution |
This usually happens if the client has its system\server hosting the AES SSO code with different culture. Though, it can also happen if the actual time-frame has elapsed before the request reached CSOD.
The earlier issue occurs when the Timestamp value in the token does not get generated in proper format.
Expected format is: ddd, dd MMM yyyy HH:mm:ss UTC
For the later, we have to check whether the ‘timeframe’ parameter in SSO_config has been set to a reasonable value or not. The default value for AES SSO is 5 (5 minutes)
|
|
| Back to Top » |
| #2
|
After performing SSO user is not taken to the expected DEST URL which is SET in the config file of the AES code. |
| Solution |
Possible reason for this is, client must not be ENCODING the DEST URL.
It accepts the encoded URL only. They can encode the same by using tool available in the below URL.
http://meyerweb.com/eric/tools/dencoder/
|
|
| Back to Top » |
| #3
|
Error not defined. |
| Solution |
Though, there could be many possible reasons for this error, one of the most common reasons in case of AES SSO is encryption key-IV pair mismatch with the ones configured at CSOD end.
Please provide the encryption key-IV pair you are using and verify it with the one configured at CSOD end.
|
|
| Back to Top » |
| #4
|
Signature used for attempting SSO is invalid. |
| Solution |
a. Check for which OUID the SAML SSO is setup.
This is usual error seen when the SAML SSO is setup on OUID other than 1 and the client is POSTING the data on default SSO page without the OU information
i.e. https://portal.csod.com/samldefault.aspx
To resolve this, client should be posting the data to the below URL
https://portal.csod.com/samldefault.aspx?ouid=[OU value provided by the engineer]
b. Certificate configured at the CSOD end is not matching with the one client must be using. Please ask for the latest certificate that the client is using and provide the same to the CSOD engineer so that they can update it.
|
|
| Back to Top » |
| #5
|
After performing SSO, user is redirected to the Login Page. |
| Solution |
Client’s portal must be just redirecting the user to the CSOD’s samldefault.aspx page.
CSOD portal expects it with a POST request.
They need to set the IDP server properly for this.
Kindly make sure that the endpoints have been setup properly.
|
|
| Back to Top » |
| #6
|
What should be the URL used to perform SAML SSO from clients internal portal? |
| Solution |
If client is using AD FS as an IDP then below is the URL that can be used for performing SSO.
https://[IDPHost]/adfs/ls/IdpInitiatedSignon.aspx?logintoRP=[RelyingPartyIdentifier name]
|
|
| Back to Top » |
| #7
|
Users get a pop-up to enter the credentials. |
| Solution |
User will need to add the IDP URL to the trusted sites in their browser.
|
|
| Back to Top » |
| #8
|
Assertion is not being signed with desired algorithm, i.e SHA1 |
| Solution |
One of the possible reasons for this issue is the signature in the client’s certificate NOT being computed in proper way.
CSOD supports the certificate which should be computed using SHA1 algorithm only. Support for SHA-256 algorithm could be provided if required, but providing the same would require a change in code.
|
|
| Back to Top » |
| #9
|
CSOD and client timestamp are not matching. |
| Solution |
This error occurs when the server time at client side is not in sync with CSOD server time. It can also occur; if the assertion reaches CSOD end after the set time frame has elapsed.
Please verify whether their servers could be synced with CSOD servers. If not, let CSOD know about the same.
|
|
| Back to Top » |
| #10
|
Destination value in the assertion is invalid. |
| Solution |
This error occurs when the recipient or destination attribute included in SAML assertion does not match with the URL to which the assertion is posted. The recipient or destination URL should point to the below except in cases of custom solutions:
https://[clientname]-[environment].csod.com/SAMLDefault.aspx
where clientname stands for the client’s portal name and
environment stands for the environment to which the client is trying to SSO ‘stg’ for stage and pilot for pilot and nothing for production.
|
|
| Back to Top » |
| #11
|
SSO assertion is incorrectly generated |
| Solution |
Client should check their IDP server configuration for this which could be the reason for incorrect assertion.
|
|
| Back to Top » |