Confirm Google App Configuration
Issue: SAML request/response returns an unexplained error.
Resolution: From the Google Workspace account, go to Apps / Web and mobile apps and select the Swank application, make sure the following information has been entered with no trailing spaces or forward slashes and that Signed response is checked.
-
- ACS URL = https://digitalcampus.swankmp.net/saml/ReceiveSingleSignOn
- Entity ID = https://digitalcampus.swankmp.net
Google Permissions Error
Issue: Error is returned from Google "Error: app_not_enabled_for_user Service is not enabled for this user."
Resolution: Make sure user access has been enabled for the appropriate group(s).
- You can modify access to the service through Google Workspace. From Apps > Web and mobile apps you can click on the Swank streaming app that was previously configured. Click the link under View Details shown below. (It might say "On for everyone" or "On for X number of organizational units" depending on how it is currently configured.
- From here you can edit the access to individual groups within your hierarchy. We recommend turning On for everyone to start with and then scaling back if necessary.
-
You do not have access to the page you requested.
Issue: Login results in a "You do not have access to the page you requested." message.
Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page. If the account experiencing the issue needs to be mapped to an Admin or Instructor role you can refer to steps starting around 2.5 in the document linked here:
Certificate Error
Issue: Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. You may be presented with an error as shown in the image below that states "Error: malformed_certificate. Error while signing data with certificate" or "The SAML response signature failed to verify."
Resolution: The SAML certificate will need to be updated periodically.
-
Export New Metadata from Google
-
- Sign into the Google Admin Console (admin.google.com)
- Navigate to Apps / Web and mobile apps
- Select the Swank/Digital Campus SAML App
- Under the Service provider details you should see a certificate with a valid expiration date. If the date has passed, you will need to generate a new certificate.
- To generate a new cert, click on Service provider details
- Click Manage certificates
- Click Add Certificate (you can also delete the expired certificate from here by clicking the Trash Can Icon)
- Close the SAML certificate screen
- In the Certificate field, make sure the new certificate is selected
-
Click Download Metadata
-
-
Import New Metadata
- You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process.
- Log Into your Digital Campus portal and select the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin )
- Select Authentication/SAML Settings from the lefthand side menu.
- Ensure you are in the basic view by toggling the switch in the upper left to the off position
- Locate the IdP Metadata XML file from your IDP.
- Click Import Identity Provider Settings
- In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
Note: The EntityID (optional) field is only needed if the IdP XML contains multiple EntityIDs. This is not common
- In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
- Click Save
-
Once you have imported the new metadata file, you can refresh the page and perform a Test SAML Login (Step 5).
- Note, you may need to clear your recent browsing history (24hrs) if you have recently logged into this machine.
- You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process.
-
Clean up: Once you have confirmed the new cert is in place and working correctly the old certificate can be removed under Authentication > SAML Settings > Advanced > Certificates. Please be aware it may take up to 24 hours for the new certificate to be available for use by your SAML applications.
SAML Tracer
You might want to utilize a browser plugin called SAML-tracer in order to determine where the sign-in process is breaking down.
For Chrome and other Chrome based browsers
- On your computer, open Chrome.
- At the top right, select Extensions
-
Search for SAML-tracer and add it to your browser
-
Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
- Select Extensions from your browser
- Select the three dots (More)
-
Mouseover "This can read and change site data."
-
Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
-
-
-
Decide which permission to give the extension:
- When you select the extension: This setting only allows the extension to access the current site in the open tab or window when you select the extension. If you close the tab or window, you’ll have to select the extension to turn it on again.
- On [current site]: Allow the extension to automatically read and change data on the current site.
- On all sites: Allow the extension to automatically read and change data on all sites.
-
Decide which permission to give the extension:
-
Safari
Safari doesn't have a SAML tracer extension, but you can use Safari's developer tools to capture a SAML trace:
Comments
0 comments
Please sign in to leave a comment.