Skip to main content
Sign in

Cloud Streaming - Azure SAML V2 Troubleshooting

Dwaine Webb
  • Updated

Microsoft Permissions Error

Issue: User is presented with a message from Microsoft that they do not have access to the application.

Resolution: Confirm users/groups have been provided the appropriate access

  1. Sign into the Azure Portal
  2. Navigate to Enterprise Applications
  3. Select the Swank SAML Application
  4. Navigate to Manage > Users and groups
  6. Select Add user/group
  8. Select the appropriate user/group and click Assign.   These will be authorized users for the application. ​
     

You do not have access to the page you requested.

Issue: Login results in a "You do not have access to the page you requested." message.

Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page. If the account experiencing the issue needs to be mapped to an Admin or Instructor role you can refer to steps starting around 2.5 in the document linked here: 

Certificate Error

Issue: Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. You may be presented with an error as shown in the image below that states "Error: malformed_certificate. Error while signing data with certificate" or "The SAML response signature failed to verify."

Resolution: The SAML certificate will need to be updated periodically.

  1. Generate New Certificate/Export New Metadata File From Azure
    1. If you are unfamiliar with how to create a new certificate in Azure you can refer to Microsoft's documentation here:
    2. Once you have generated a new certificate, navigate to Azure Active Directory / Enterprise Applications
    3. Select the Swank App
    4. Under Properties select Single sign-on
    5. Download Federation Metadata XML File 
  2. Import New Metadata
    • You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process. 
    1. Log Into your Digital Campus portal and select the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin )
    2. Select Authentication/SAML Settings in the left menu
      mceclip4.png
      1. Ensure you are in the basic view by toggling the switch in the upper left to the off position
        • mceclip0.png
    3. Locate the IdP Metadata XML file from your IDP
    4. Click Import Identity Provider Settings
      mceclip5.png
      • In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
        • Note: The EntityID (optional) field is only needed if the IdP XML contains multiple EntityIDs. This is not common
        • mceclip6.png
        • Click Save
    5. Once you have imported the new metadata file, you can refresh the page and perform a Test SAML Login (Step 5).
      • Note, you may need to clear your recent browsing history (24hrs) if you have recently logged into this machine.
  2. Cleanup: Once you have confirmed the new cert is in place and working correctly the old certificate can be removed under Authentication > SAML Settings > Advanced > Certificates. Please be aware it may take up to 24 hours for the new certificate to be available for use by your SAML applications
      • mceclip2.png

 

SAML Tracer

You might want to utilize a browser plugin called SAML-tracer in order to determine where the sign-in process is breaking down.

 

For Chrome and other Chrome based browsers 

  1. On your computer, open Chrome.
  2. At the top right, select Extensions 
  3. Search for SAML-tracer and add it to your browser
    • Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
      • Select Extensions from your browser
      • Select the three dots (More)
      • Mouseover "This can read and change site data." 
      • Decide which permission to give the extension:
        • When you select the extension: This setting only allows the extension to access the current site in the open tab or window when you select the extension. If you close the tab or window, you’ll have to select the extension to turn it on again.
        • On [current site]: Allow the extension to automatically read and change data on the current site.
        • On all sites: Allow the extension to automatically read and change data on all sites.

 Safari

Safari doesn't have a SAML tracer extension, but you can use Safari's developer tools to capture a SAML trace:

  1. Open Safari and select Settings
  2. Click Advanced
  3. Check the box next to Show Developer menu in menu bar
  4. Click Develop and then Show Web Inspector
  5. Select the Network tab
  6. Click the circle with three lines icon and select Preserve Log
  7. Go to the Admin Portal and select Single sign-on
  8. Enter your email address and click Submit
  9. Click the row, then select Headers
  10. Scroll down to Request Data, then copy and paste the information into a text file 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk