Cloud Streaming - ClassLink SAML V2 Troubleshooting

Confirm ClassLink App Configuration

Issue: SAML request/response returns an unexplained error.

Resolution: Review the following guide to ensure that your ClassLink SAML configuration is correct: ClassLink SAML V2 Setup Guide – Swank Motion Pictures, Inc.

Note: Changes made in ClassLink may not be reflected in your streaming portal until you refresh your page or clear your recent history. 

ClassLink Permissions Error

Issue: Message is returned from ClassLink "Permission Denied"

Resolution: Make sure user access has been enabled for the appropriate group(s). You can modify access to the service through the ClassLink Management Console. Make sure SAML is the selected type for your ClassLink App and click the Assign button to Add the appropriate groups. This is described in Step 1.3 in the ClassLink SAML V2 Setup Guide.
 

You do not have access to the page you requested.

Issue: Login results in a "You do not have access to the page you requested." message.

Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page. If the account experiencing the issue needs to be mapped to an Admin or Instructor role you can refer to steps starting around 2.5 in the document linked here: 

• Configuring Swank Cloud Streaming SAML Authentication

Note: We have had a number of schools experience issues using individual role mapping with an email address. This is typically because ClassLink sends a NameID instead of the email address as the username. This can be modified by using the Metadata Override section of your ClassLink SAML app shown below.

• Metadata Overrides: Add the NameID value and use "Email" under the Metadata Overrides section.
  • 

Certificate Error

Issue: Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. You may be presented with an error as shown in the image below that states "Error: malformed_certificate. Error while signing data with certificate" or "The SAML response signature failed to verify."

Resolution: The SAML certificate will need to be updated periodically.

1. Export New Metadata from Google
   1. Navigate to ClassLink Management Console -> Single Sign-On
   2. Copy the IDP Metadata URL from ClassLink and paste it in a browser (Chrome preferably)
      • 
   3. Right click on the resulting page and select Save As.
      • 
   4. Change the Save as type to All Files (*.*) and save the document as an .xml file on your desktop or other easily accessible location. This will be used to import into the streaming portal later.
2. Import New Metadata
   1. You can import metadata from your identity provider (which will include a new certificate) into the Swank streaming portal. This is used to verify the identity provider during the SAML login process. 
      1. Log Into your Digital Campus portal and select the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin )
      2. Select Authentication/SAML Settings from the lefthand side menu.
         • 
         • Ensure you are in the basic view by toggling the switch in the upper left to the off position
           • 
      3. Locate the IdP Metadata XML file from your IDP.
      4. Click Import Identity Provider Settings
         
         
         • In the Load External Identity Provider Settings pop up window, click Select and navigate to the IdP Metadata XML file.
           Note: The EntityID (optional) field is only needed if the IdP XML contains multiple EntityIDs. This is not common
           
      5. Click Save
      6. Once you have imported the new metadata file, you can refresh the page and perform a Test SAML Login (Step 5).
         • Note, you may need to clear your recent browsing history (24hrs) if you have recently logged into this machine.
3. Clean up: Once you have confirmed the new cert is in place and working correctly the old certificate can be removed under Authentication > SAML Settings > Advanced > Certificates. Please be aware it may take up to 24 hours for the new certificate to be available for use by your SAML applications.
   • 

SAML Tracer

You might want to utilize a browser plugin called SAML-tracer in order to determine where the sign-in process is breaking down.

For Chrome and other Chrome based browsers 

1. On your computer, open Chrome.
2. At the top right, select Extensions 
3. Search for SAML-tracer and add it to your browser
   • Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
     • Select Extensions from your browser
     • Select the three dots (More)
     • Mouseover "This can read and change site data." 
       • 

• • • Decide which permission to give the extension:
      • When you select the extension: This setting only allows the extension to access the current site in the open tab or window when you select the extension. If you close the tab or window, you’ll have to select the extension to turn it on again.
      • On [current site]: Allow the extension to automatically read and change data on the current site.
      • On all sites: Allow the extension to automatically read and change data on all sites.

 Safari

Safari doesn't have a SAML tracer extension, but you can use Safari's developer tools to capture a SAML trace:

1. Open Safari and select Settings
2. Click Advanced
3. Check the box next to Show Developer menu in menu bar
4. Click Develop and then Show Web Inspector
5. Select the Network tab
6. Click the circle with three lines icon and select Preserve Log
7. Go to the Admin Portal and select Single sign-on
8. Enter your email address and click Submit
9. Click the row, then select Headers
10. Scroll down to Request Data, then copy and paste the information into a text file