Confirm Google App Configuration
Issue: SAML request/response returns an unexplained error.
Resolution: From the Google Workspace account, go to Apps / Web and mobile apps and select the Swank application, make sure the following information has been entered with no trailing spaces or forward slashes and that Signed response is checked.
-
- ACS URL = https://digitalcampus.swankmp.net/saml/ReceiveSingleSignOn
- Entity ID = https://digitalcampus.swankmp.net
Google Permissions Error
Issue: Error is returned from Google "Error: app_not_enabled_for_user Service is not enabled for this user."
Resolution: Make sure user access has been enabled for the appropriate group(s).
- You can modify access to the service through Google Workspace. From Apps > Web and mobile apps you can click on the Swank streaming app that was previously configured. Click the link under View Details shown below. (It might say "On for everyone" or "On for X number of organizational units" depending on how it is currently configured.
- From here you can edit the access to individual groups within your hierarchy. We recommend turning On for everyone to start with and then scaling back if necessary.
-
You do not have access to the page you requested.
Issue: Login results in a "You do not have access to the page you requested." message.
Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page. If the account experiencing the issue needs to be mapped to an Admin or Instructor role you can refer to steps starting around 2.5 in the document linked here:
Certificate Error
Issue: Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. You may be presented with an error as shown in the image below that states "Error: malformed_certificate. Error while signing data with certificate" or "The SAML response signature failed to verify."
Resolution: The SAML certificate will need to be updated periodically.
-
Export New Metadata from Google
-
- Sign into the Google Admin Console (admin.google.com)
- Navigate to Apps / Web and mobile apps
- Select the Swank/Digital Campus SAML App
- Under the Service provider details you should see a certificate with a valid expiration date. If the date has passed, you will need to generate a new certificate.
- To generate a new cert, click on Service provider details
- Click Manage certificates
- Click Add Certificate (you can also delete the expired certificate from here by clicking the Trash Can Icon)
- Close the SAML certificate screen
- In the Certificate field, make sure the new certificate is selected
-
Click Download Metadata
-
-
Import New Metadata
- You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process.
- Log Into your Digital Campus portal and select the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin )
- Select Authentication/SAML Settings from the lefthand side menu.
- Ensure you are in the basic view by toggling the switch in the upper left to the off position
- Ensure you are in the basic view by toggling the switch in the upper left to the off position
- Locate the IdP Metadata XML file from your IDP.
- Click Import Identity Provider Settings
- In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
Note: The EntityID (optional) field is only needed if the IdP XML contains multiple EntityIDs. This is not common
- In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
- Click Save
-
Once you have imported the new metadata file, you can refresh the page and perform a Test SAML Login (Step 5).
- Note, you may need to clear your recent browsing history (24hrs) if you have recently logged into this machine.
- You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process.
-
Clean up: Once you have confirmed the new cert is in place and working correctly the old certificate can be removed under Authentication > SAML Settings > Advanced > Certificates. Please be aware it may take up to 24 hours for the new certificate to be available for use by your SAML applications.
Comments
0 comments
Please sign in to leave a comment.