Troubleshooting Single Signon Issues

This topic documents a troubleshooting process for common Single Signon failures.

When "SSL Client Cert Required" is enabled, the user cannot authenticate using SAML Single Signon

In the User Profile in MOVEit DMZ, if SSL Client Cert Required is set to Yes, the user will not be authenticated. You need to set this option to No. (Note that this type of failed signon attempt is not audit logged.) If you want to use a client certificate, you need to use the Identity Provider to handle the certificate.

Authentication error on MOVEit Signon page

If Single Signon authentication fails, the user may see the following notification on the MOVEit DMZ Sign On page:

Unable to authenticate with Identity Provider or not allowed to sign on from this location.

Here is a process that can help you assess and fix the problem:

The first step is to confirm your settings.
- Ensure you have an Assertion Consumer Interface enabled that is compatible with your Identity Provider.
- Ensure your Identity Provider is using the latest version of your MOVEit DMZ metadata file, and ensure your MOVEit server is using the latest version of the Identity Provider's metadata file.
- Ensure the MOVEit Identity Provider settings have a sufficient Skew Allowance.
- Ensure the MOVEit Identity Provider settings allow the creation of new users if you are trying to authenticate with a new user.
- Ensure the MOVEit Identity Provider user and group settings are configured correctly.
For MOVEit settings, see the User Authentication - Single Signon page. For Identity Provider specific settings, please consult your Identity Provider documentation.
If all the settings appear to be correct, the next step in troubleshooting this error is to look in the DMZ_Web.log located at <DMZ_Install_Dir>\Logs (for example: C:\MOVEitDMZ\Logs). Depending on your Diagnostic Log Settings, the error may or may not be located in these logs. To check your current log settings, go to Start Menu -> Programs -> MOVEit DMZ -> MOVEit DMZ Config -> Status Tab. To view authentication issues, the "User Error" setting is sufficient. For complete debug information, use "All Debug".
After you have confirmed the log settings, look through the latest log entries. If necessary, if you had to change the log settings, have the user attempt to signon again so you can see the log information. Log errors you may see include:
Error in authentication response from Identity Provider

The following error indicates a problem that originates from your Identity Provider:

BindingHandler.AuthenticateSAMLResponse: Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Responder
SILUser.ExecuteAuthenticators: User '' failed to authenticate with authenticator: SAML Assertion Authenticator

Additionally, some Identity Providers report errors in the Windows Event Log or in their own logs. If you see this error in the MOVEit logs, return to your Identity Provider machine and see if there are any Windows Event Logs entries or logs that indicate why the Identity Provider failed to perform Authentication.

Error in MOVEit Single Signon configuration: authentication request

The following error indicates a problem that originates from your MOVEit DMZ Server.

Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Requester

See the User Authentication - Single Signon page to confirm your configurations. If you need further assistance, please contact MOVEit Support.

Error in MOVEit Single Signon configuration: Skew Allowance

The following error indicates a problem with your "Skew Allowance" setting:

SAMLAuthenticator.AllowedByConditions: Current time (2013-12-18T20:23:01.3936301Z) is outside
of assertion valid time range (2013-12-18T20:23:01.756Z to 2013-12-18T21:23:01.756Z) with skew
allowance 00:00:00 SILUser.ExecuteAuthenticators: User 'user1' failed to authenticate with
authenticator: SAML Assertion Authenticator

Revisit your MOVEit Identity Provider's Skew Allowance setting and adjust this value to ensure this error does not continue to occur.