Introduction

This page identifies and provides solutions for common SAML issues as well as providing a list of online, third-party utilities that are useful tools when configuring and troubleshooting SAML connections.

Invalid/Unknown Audience

This occurs when the SP (Service Provider) can't locate a particular audience in the Assertion. Either the SP is only evaluating the first audience in a list, or the expected audience is missing. The solution is either deleting the currently-defined audience and replacing it with the expected value or simply adding the expected audience to the list.

Invalid Entity-ID

This should be one of two things:

1. The value for “Issuer” in the HelloID SAML app’s “Configuration” tab is incorrect and needs to be changed to the correct Entity ID.
2. The SP’s configuration is incorrect and needs to be changed to match the “entityID” value in the HelloID SAML app’s metadata.

A Selection of Tools

1. SAML Message Decoder - this tool collects SAML messages while you browse allowing you to easily reference the most recent messages.
   1. Chrome extension
   2. Firefox extension
2. SAML Tracer - another simple tool for viewing and troubleshooting SAML messages in a web browser.
   1. Chrome extension
   2. Firefox extension
3. SAML Tools - a site containing a variety of useful SAML utilities.
   1. Validate Response (very helpful)
   2. Encode/Decode SAML
   3. Encrypt/Decrypt SAML
   4. Attribute Extractor
4. Capture and decode SAML token data when using Microsoft Edge or IE - this Microsoft Tech Community article was written for when using an IDP with Microsoft Sharepoint, however, the same steps also apply when testing SAML connections in HelloID with Edge or IE.
5. RSA SAML SP Test - this site is an SP meant to be used while testing IDP configurations.