This topic describes a troubleshooting process for common Single Signon failures.
When "SSL Client Cert Required" is enabled, the user cannot authenticate using SAML Single Signon
In the User Profile in MOVEit Transfer, if SSL Client Cert Required is set to Yes, the user will not be authenticated. You need to set this option to No. (Note that this type of failed signon attempt is not audit logged.) If you want to use a client certificate, you need to use the Identity Provider to handle the certificate.
Authentication error on MOVEit Signon page
If Single Signon authentication fails, the user might see the following notification on the MOVEit Transfer Sign On page:
Unable to authenticate with Identity Provider or not allowed to sign on from this location.
Use the following process to assess and fix the problem:
For MOVEit settings, see the User Authentication - Single Signon page. For Identity Provider specific settings, consult your Identity Provider documentation.
When all the settings are correct, continue.
Confirm the log settings.
Log errors might include:
Error in authentication response from Identity Provider
The following error indicates a problem that originates from your Identity Provider:
BindingHandler.AuthenticateSAMLResponse: Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Responder
SILUser.ExecuteAuthenticators: User '' failed to authenticate with authenticator: SAML Assertion Authenticator
Additionally, some Identity Providers report errors in the Windows Event Log or in their own logs. If you see this error in the MOVEit logs, return to your Identity Provider machine and see if there are any Windows Event Logs entries or logs that indicate why the Identity Provider failed to perform Authentication.
Error in MOVEit Single Signon configuration: authentication request
The following error indicates a problem that originates from your MOVEit Transfer> Server.
Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Requester
To confirm your configurations, see User Authentication - Single Signon. You can also find helpful information at the MOVEit customer portal.
Error in MOVEit Single Signon configuration: Skew Allowance
The following error indicates a problem with your "Skew Allowance" setting:
SAMLAuthenticator.AllowedByConditions: Current time (2013-12-18T20:23:01.3936301Z) is outside
of assertion valid time range (2013-12-18T20:23:01.756Z to 2013-12-18T21:23:01.756Z) with skew
allowance 00:00:00 SILUser.ExecuteAuthenticators: User 'user1' failed to authenticate with
authenticator: SAML Assertion Authenticator
Revisit your MOVEit Identity Provider Skew Allowance setting and adjust this value to ensure that this error does not continue to occur.