Security | Integration | SAML

This section offers solutions to issues administrator users face in the Platform Management Dashboard | Security tab.

This tab is mainly used for SAML Integration using authentication delegation to enable SSO in the 3DEXPERIENCE Platform.

 

Please check these sections as well:

 

Common Issues

 

Blank page when setting up Passport Authentication Delegation

Cause: 

  • It means SAML federation was enabled on your platform without completing the full SAML Authentication Delegation setup.
    This option can only be enabled by an administrator of the platform.
     

Resolution: 

  • Follow the instructions detailed in the article below to Disable SAML SP Federation
QA00000334441 :  Disable Passport Authentication Delegation 
Link :  https://support.3ds.com/knowledge-base/?q=docid:QA00000334441 

 

Downloading an empty file when logging in with Authentication Delegation

Probable Cause: 

  • It usually means that your SAML Authentication Delegation Setup is incomplete or incorrect. (IdP does not know how to communicate the SAMLResponse back to 3DPassport)

 

Probable Solution 

Follow the instructions detailed in QA00000305710, and make sure your SAML setup is complete.

Pay close attention to:

  • The attributes email and/or username are not provided in the SAML Response.

    • Attribute is not valued on IdP.

    • the attributes defined in your IdP have the same name, with the same case as the field declared in 3DPassport.

  • The ACS (Assertion Consumer Service) URL is not correctly setup 

 

Error: Federated Identity cannot be authenticated: email attribute is missing

Probable Cause: 

  • This error message generally means that 3DPassport did not receive any email attribute value or none that 3DPassport could interpret.

 

Probable Solution: 

  1. The solution is to update and make sure the attributes defined in your IdP have the same name, with the same case as the field declared in 3DPassport. (cf QA00000305710)

  2. Make sure the email attribute is valued for the user trying to login on IdP side.In SAML response "email" attribute is missing, Probably because it is not added in IDP.
    Please configure this "email" attribute which is mandatory on IDP side.

 

Maximum inactivetime (timeout)

Probable Cause:

  • SAML Response does not satisfy the following condition
  • AuthnInstant - IssueInstant < 24 Hours (86400 seconds) (MaxInactiveTime)

 

Probable Solution:

  • Make sure your IdP Max inactive time lower than 24 Hours (86400 second).

 

Signature of the SAML response returned by IDP cannot be validated

Probable Cause:

  • You may face this issue when logging in when SAML is activated because signature of the SAML response returned by IDP cannot be validated.

     

Probable Solution:

  • You must check the validity of the certificate in IDP side and possibly reimport your certificate and/or IDP metadata in passport.

 

Downloading an empty file when logging out with Authentication Delegation

Probable Cause: 

  • It usually means that the SLO (Single LogOut) is incomplete or incorrect.

 

Probable Solution 

  • Please make sure to use the SLO binding coming for the 3DPassport SAML Metadata XML, it should look similar to this:

https://r113210****-eu1.iam.3dexperience.3ds.com/saml/SingleLogout/alias/r113210****-eu1.iam.3dexperience.3ds.com

 

User not able to access the application

Cause: 

  • It means that your IdP administrator, has not provided access to the SAML application.

 

Resolution / Recommendation

  • Reach out to your IdP administrator to request access to the application.