Open [SapphireIMS Installed Path]/WebManagement/standalone/log/Server.log in text editor and check below error messages with steps to resolve.
-
Response issue time is either too old or with date in the future
Solution: Change the clock skew value in Identity provider configuration -
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration
Solution: Change the Outgoing claim type as Name ID in AD FS server/IDP server -
Signature validation failed
Solution:
a. Open the federationmetadata.xml in browser
b. Copy the green highlighted content as shown in the below image into file named such as “signingkey.cer”
c. Open the signingkey.cer file (file created in previous step)
d. Navigate details and click on copy to file
e. Open previous created file in step 4 with text editor
f. Copy the content and past into identity provider configuration
-
InResponseToField of the Response doesn’t correspond to sent message
Solution I: cross check in SapphireIMS application SameSite cookie enabled or not, if enabled remove the samesite cookie configuration and restart SapphireIMS service
Solution II: if Samesite cookie enabled, change samesite cookie value to “None;Secure”
Reference Links:
a. cookies - SameSite attribute break SAML flow - Stack Overflow
b. FAQ: How Chrome 80 Update for “SameSite by default” Potentially Impacts Your Okta Environment