Generally, the first step to troubleshooting a problem is to check the application log file. We have documentation that covers logging in detail.
The error logs can help you pinpoint the cause of the error, including information about the failing message and its sender.
We improved logging in Rsk.Saml v5 to offer more diagnostic information logged at the
Debug level, primarily for incoming message validation failures.
Viewing the SAML message
In Rsk.Saml v5.0.0, we introduced a config option,
LogSamlMessages is set to
true, all SAML messages sent and received by our SAML component will be logged at the
We don't recommend enabling this feature in production to prevent logging PII.
Note that messages sent and received using HTTP Artifact binding are always logged as debug messages. As HTTP Artifact binding uses a direct server-to-server connection to exchange messages, there are no other means of obtaining the messages.
If you are using HTTP Redirect or HTTP POST with a version prior to Rsk.Saml v5.0.0, you will need to obtain the SAML message from the browser network trace. The exact steps required to view the network trace depends on your browser. The following examples use the Google Chrome network DevTools.
Getting the Encoded SAML Message from Browser
You will need to obtain the encoded SAML message from the network trace. If you are using HTTP Redirect binding, you will need to get the encoded SAML message from the query string, and if you are using HTTP POST binding, you will need to get the message from the form body.
Decoding the SAML Message
There are various tools available online for decoding SAML messages. Our favorite is the SAML Decoder & Parser.
Fixing the Error
Most SAML errors are due to misconfiguration or invalid incoming SAML messages. Check out our Frequently Asked Questions.
If you are unable to fix the error, please check our Support page.