This guide will provide steps on capturing the HTTP Post from your Identity Provider to Litmos, this is also known as a SAML assertion.
Litmos support SAML v2 protocol and support IDP initiated login only
- Are you using IDP initiated SAML login? Litmos does not currently support SP initiated SAML logins.
- Are you using SAML v2 protocol? Litmos has deprecated support of v1.
- Does the user that is logging in for the first time into Litmos have the “Auto Generate Users” option in the Litmos SAML settings selected? This is required in order for Litmos to create new users upon first login.
- Are you using valid metadata and x509 certificate in your SAML setup? If not this can create problems
- Does your assertion have a “name” attribute?
- Does your assertion have minimum attributes if you are auto-generating new users? Email, FirstName, LastName
- Do you have any HTML or markup in individual attributes?
- Have you appended any parameters or additional queries to the end of the assertion endpoint url?
- If you are using RelayState is it a valid URL that is redirecting upon?
- If you are using RelayState you cannot redirect to the initial assertion URL
- If you have enabled “Verify assertion signatures and encryption” you will need to ensure that the complete assertion signature is digitally signed and encrypted.
- Disable “Verify assertion signatures and encryption” and test if you continue to have issues.
- Note: If you are not using auto generation of new users, the assertion will lookup the “name” attribute against the username in Litmos, so the attribute must match the existing username in Litmos.
Troubleshooting the Single Sign On (SSO) connection with SAML-tracer
Your Single Sign On (SSO) is set up, but you can't login
You have set up your SSO integration and are receiving an error when you try to login. This error reads "Error logging into Litmos, please contact your administrator. 6a Origin: XXXX" This means a field is missing from your SAML assertion.
- Check your mapped attributes - spelling and syntax are critical. The minimum accepted attributes are FirstName, LastName, Email. Each application has a different method for accessing this information. The full list of accepted attributes are found in this article.
- Make sure the profile you are logging in with has the fields present within your directory and are properly mapped.
You have checked mapped attributes, now what?
- Capture the SAML assertion and see what exactly is being passed to Litmos.
There are many applications that can be used to capture the SAML assertion, such as Fiddler or SAML Chrome panel. For this example, we will be using the browser extension SAML-tracer for Chrome (https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en) or Firefox (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/).
2. After the extension is installed, open up SAML-tracer to start capturing your browser activity.
3. Use your SSO login link in a new browser tab and then click on the URL showing the "SAML" icon. After clicking the URL with the "SAML" icon, you will see tabs appear at the bottom of the SAML-tracer window.
4. Clicking on the SAML tab will show the full SAML assertion passed to Litmos. You can scroll to the bottom of the assertion to find your SAML attributes that were passed.
The Summary tab will show the SAML attributes that were passed in a different format.
If you have any further questions, please submit a support ticket to firstname.lastname@example.org