Answers common questions about single sign-on (SSO) in Resource Access Management (RAM), including SAML response troubleshooting, user-based SSO errors, and role-based SSO errors.
View a SAML response in a browser
View the SAML response in Google Chrome to troubleshoot SSO issues. The following steps use Google Chrome 108.0.5359.125 (64-bit) as an example. Steps may vary by browser version.
-
Press F12 to open the DevTools console.
-
Click the Network tab and select Preserve log.
-
Reproduce the issue.
-
On the Network tab, search the log for sso. Select the matching entry and click the Payload tab to view the SAML response.
User-based SSO: "user does not exist" error
|
Cause |
Resolution |
|
Alibaba Cloud uses the User Principal Name (UPN) to locate a RAM user, so the SAML response from your identity provider (IdP) must contain the user's UPN. The UPN suffix can be a domain alias, auxiliary domain name, or default domain name. If the username suffix in your IdP does not match the RAM user's UPN suffix, matching fails. Check the NameID element and NameID example sections in SAML response for user-based SSO. |
Set an auxiliary domain name so the RAM user's UPN suffix matches the one in your IdP. Configure SAML settings for user-based SSO on Alibaba Cloud. |
|
The RAM user does not exist, or the RAM user's name does not match the corresponding username in the IdP. |
|
|
SCIM user synchronization has failed. |
Check the SCIM synchronization logs in your IdP to identify and fix the failure. |
|
The UPN for a user in the IdP does not match the UPN synchronized to RAM. Possible causes include:
|
Ensure the username mapping rule in your IdP's SSO configuration matches the one configured for SCIM synchronization. |
|
The value of the |
In the SAML response, find the If your IdP has a separate Audience URL setting, ensure it is configured correctly. |
Role-based SSO: "NoPermission.NotTrusted" error
|
Cause |
Resolution |
|
In the |
|
Role-based SSO: "Role attribute error"
|
Cause |
Resolution |
|
The |
Fix the |
Role-based SSO: "InvalidParameter.RoleSessionName" error
|
Cause |
Resolution |
|
The |
Fix the |
|
The user signing in has no value for the attribute mapped to RoleSessionName. For example, if your IdP uses Email as RoleSessionName, this error occurs when the user has no email address in the IdP. |
Identify the attribute specified for RoleSessionName in your IdP and set the attribute value for the user. |
SSO: "assertion signature is invalid" or "sign-in token expired" errors
|
Cause |
Resolution |
|
The public-private key pair used for signing in your IdP has been rotated, but the IdP metadata in Alibaba Cloud has not been updated. |
Update the IdP metadata in Alibaba Cloud. Download the latest metadata file from your IdP and re-upload it. |
|
The public-private key pair in your IdP has been rotated and the IdP metadata in Alibaba Cloud has been updated. However, the IdP might still use the old private key during the rotation period, while the metadata in Alibaba Cloud contains only the new public key. |
The IdP metadata in Alibaba Cloud must contain both the old and new public keys. To configure metadata with two public keys:
|
|
The upload failed because the metadata file is too large. |
After uploading, wait for the process to complete. Download the metadata file to verify the upload was successful and the content is complete. |
Self-managed IdP: missing or incorrect metadata
|
Cause |
Resolution |
|
The metadata parameters do not conform to the SAML 2.0 protocol. |
Configure the parameters to conform to the SAML 2.0 protocol. SAML 2.0. |