Troubleshooting Single Sign-on Issues

This topic describes a troubleshooting process for common Single Sign-on failures.

When "SSL Client Cert Required" is enabled, the user cannot authenticate using SAML Single Sign-on

In the User Profile in MOVEit Transfer, if SSL Client Cert Required is set to Yes, the user will not be authenticated. You need to set this option to No. (Note that this type of failed signon attempt is not audit logged.) If you want to use a client certificate, you need to use the Identity Provider to handle the certificate.

Authentication error on MOVEit Sign-on page

If Single Signon authentication fails, the user might see the following notification on the MOVEit Transfer Sign On page:

Unable to authenticate with Identity Provider or not allowed to sign on from this location.

Use the following process to assess and fix the problem:

Confirm your settings: Make sure that
- You have an Assertion Consumer Interface enabled that is compatible with your Identity Provider.
- Your Identity Provider is using the latest version of your MOVEit Transfer metadata file, and ensure your MOVEit server is using the latest version of the Identity Provider's metadata file.
- The MOVEit Identity Provider settings have a sufficient Skew Allowance.
- The MOVEit Identity Provider settings allow the creation of new users if you are trying to authenticate with a new user.
- The MOVEit Identity Provider user and group settings are configured correctly.
For MOVEit settings, see the User Authentication - Single Sign-on page. For Identity Provider specific settings, consult your Identity Provider documentation.

When all the settings are correct, continue.
Look in the DMZ_Web.log located at <DMZ_Install_Dir>\Logs (for example: C:\MOVEitDMZ\Logs). Depending on your Diagnostic Log Settings, the error might be located in these logs. To check your current log settings, go to Start Menu > Programs > MOVEit Transfer > MOVEit Transfer Config > Status Tab. To view authentication issues, the "User Error" setting is sufficient. For complete debug information, use "All Debug".
Confirm the log settings.
Look through the latest log entries. If you changed the log settings in the previous step, have the user attempt to sign on again so you can see the log information.
Log errors might include:

Error in authentication response from Identity Provider

The following error indicates a problem that originates from your Identity Provider:

BindingHandler.AuthenticateSAMLResponse: Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Responder
SILUser.ExecuteAuthenticators: User '' failed to authenticate with authenticator: SAML Assertion Authenticator

Additionally, some Identity Providers report errors in the Windows Event Log or in their own logs. If you see this error in the MOVEit logs, return to your Identity Provider machine and see if there are any Windows Event Logs entries or logs that indicate why the Identity Provider failed to perform Authentication.

Error in MOVEit Single Signon configuration: authentication request

The following error indicates a problem that originates from your MOVEit Transfer> Server.

Authentication not successful: Code:urn:oasis:names:tc:SAML:2.0:status:Requester

To confirm your configurations, see User Authentication - Single Sign-on. You can also find helpful information at the MOVEit customer portal.

Error in MOVEit Single Sign-on configuration: Skew Allowance

The following error indicates a problem with your "Skew Allowance" setting:

SAMLAuthenticator.AllowedByConditions: Current time (2013-12-18T20:23:01.3936301Z) is outside
of assertion valid time range (2013-12-18T20:23:01.756Z to 2013-12-18T21:23:01.756Z) with skew
allowance 00:00:00 SILUser.ExecuteAuthenticators: User 'user1' failed to authenticate with
authenticator: SAML Assertion Authenticator

Revisit your MOVEit Identity Provider Skew Allowance setting and adjust this value to ensure that this error does not continue to occur.