Generally, the first step to troubleshooting a problem is to check the application log file. We have documentation that covers logging in more detail.
The error logs can help you pinpoint the cause of the error, including information about the failing message and its sender.
We improved logging in Rsk.Saml v5, primarily for incoming message validation, to offer more diagnostic information logged at
Viewing the SAML message
In Rsk.Saml v5.0.0, we introduced a config option
LogSamlMessages is set to
true, all SAML messages sent and received by our SAML component will be logged at the
We don't recommend enabling this feature in production to prevent PII from being logged and security assertions stolen.
Note that messages sent and received using HTTP Artifact binding are always logged as debug messages. As HTTP Artifact binding uses a direct server-to-server connection to exchange messages, there are no other means of obtaining the messages.
If you are using HTTP Redirect or HTTP POST with a version prior to Rsk.Saml v5.0.0, you will need to obtain the SAML message from the browser network trace. The exact steps required to view the network trace depends on the browser you are using. The following examples use the Google Chrome network DevTools.
Getting the Encoded SAML Message prior to v5.0.0
You will need to obtain the encoded SAML message from the network trace. If you are using HTTP Redirect binding, you will need to get the encoded SAML message from the query string, and if you are using HTTP POST binding, you will need to get the message from the form body.
Decoding the SAML Message
There are various tools available online for decoding the SAML messages. Our favorite is the SAML-Parser.
Fixing the Error
Most of the SAML errors are due to misconfiguration or invalid incoming SAML messages. Check out our Frequently Asked Questions.
If you are unable to fix the error, please check our Support page.