Troubleshooting
Enable the SAML extension in the browser. While performing the login, enable the
DEV tools and open the SAML tab. During the operation, the SAML assertions are passed in
the HTTP headers. Similar to the external authentication configuration, if the role name
passed in the SAML assertion matches the role name in the AppViewX database, the login
will be successful.
Sample Configuration of SAML Assertion
Number of SAML Assertions in HTTP Headers
Sample SAML Assertion
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://192.168.x.x:31443/appviewx/ssoLogin"
ID="id246345791662193091218321378" InResponseTo="ONELOGIN_23e56e9e-99e6-449f-ace2-67002e6fcc91"
IssueInstant="2019-02-06T13:46:48.185Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk9y6yf2Td4qxk5M356</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id246345791662193091218321378">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>V4ngGSIWBR81C4VzBI2K8nM4QTxrexhuJAVDZ1f4cYQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZBrsl0pRRB8gaqYHnoyjISEsA8s1cUAn5Fy5rJ/MyNRxtLlKDPrBBKgT0s0LkKodMEQavwgr2uN6pc0LdXVvRge8Taea1apeiThGWLjt17hRUNBUTJFbLlIgpfjf6dBf6E4FpqAO6p0/SbGRkeFKU1dUVUHwlizsNxjeS+QoTJG9OwivLxgxvzfNuLicPgrPJMesZcgyEOiFXB09OK5RwcSktOWE7C7iGCP6OMbUpPKasJTJ89iJrW4/ATaHBZJ3faV/gqbYcQerdKxyXsMQMM/MzIRAfd9CfXyPsL+T/26BOnLN5F/Gq/36cYGrEuUJ0MdzHBrRualKe/bRiqQR2Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAWiodnVYMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGFwcHZpZXd4LXNzbzEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0xOTAyMDEwOTQ4MjJaFw0yOTAyMDEwOTQ5MjJaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGFwcHZpZXd4LXNzbzEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIc22r1CR7gbMVcyYnRjkDLGRwHJ1zhQkWTVoEZdbk/KTHwVMXHpNinkOhUcxbzfHePBf6wx
9jEThiNvvHZVIg6ZktYotG9DF/FF0fMxhzfweqR5yt27ihiuVTeGT8GjNcXwOoyzJdrDuZg27ybI
jriqGPKrLiwrrot54R1LP2VclM0FdIOWdOoU1N5IEnFAd+2UECZZLQ0gJrDpFcbDisuhmp5bTKUS
1RpIxarNeacH2klRY4efeqQdVgaghgs+zMN44iz+YGs8uELElKErOabEtoYiTJmsVnqEcs8fUvKx
LLdZevPhh89v0MJiZI9gTjjt/f9N+NEUzyJsHfxqmnUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
RZo42X1gDE3d9xnftXr2LoUItdTQeVoFdkIJIqJla21kDRCwHis2OvuFwOW+QdUeh5uUIjGxbhaA
cQIeJUvuD1aEK/ynUDKGA0jvdLR7IbwTK69i7c19F7pti6b5sq8yjl5fOavit1N3INIzZdkrPlP1
hJnKcjOSVyMPv8a7rDXOtXxDoZgi+pWj0qlp4E9tKOrWJgKdjS8j03ulWwtOx4Jak4yYueaY8nH1
+amyE6w96Qm6ScEGLcxXzboczS7BMjZ0M4Mr6zXOTS8pU+AX6NBmdNkdwO9JSeXm3U6lRWv59jet
qMeKqf4aKRg+oqbw9hkH3X6qT69AeEiPz6YPmQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="id24634579166299789832980116" IssueInstant="2019-02-06T13:46:48.185Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk9y6yf2Td4qxk5M356</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id24634579166299789832980116">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>hnTKZKSyxKC6WGZTK7iD+iQv4+nj/91eX8vhrkyi+1k=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>OtgpFXWkIIO0hSZiHpAdTDBg6v11+/unBzyPOFSBl+0+b2i22s3lHtzCqsEVp4Xn9J1XoL12tCr/uhg7b4kxcTslMsAYFVQipUZLKanEIaEOSv2tnjQuAoE3fBMTm2d/3+nlXofyGiOMEY5OrFaGGjC9ZAMk2qJDAEzjZHhjOyooLQItzDocfVFvXeFSl/bAaDNSRPYT0B9dXsGpjpUlA6CMpmJXSxgAPwogaM20d48o7iKi3THjTgm1L2z9nntQajfaRERkoTfAV0sGE6iKlUAhWmtMkUDOUXbMeBXo61cpQ5A/WsfxpbZKhJkDes/9lzcDoPkI7w+TshJnQMQA3A==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAWiodnVYMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGFwcHZpZXd4LXNzbzEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0Bva3RhLmNvbTAeFw0xOTAyMDEwOTQ4MjJaFw0yOTAyMDEwOTQ5MjJaMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGFwcHZpZXd4LXNzbzEc
MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIc22r1CR7gbMVcyYnRjkDLGRwHJ1zhQkWTVoEZdbk/KTHwVMXHpNinkOhUcxbzfHePBf6wx
9jEThiNvvHZVIg6ZktYotG9DF/FF0fMxhzfweqR5yt27ihiuVTeGT8GjNcXwOoyzJdrDuZg27ybI
jriqGPKrLiwrrot54R1LP2VclM0FdIOWdOoU1N5IEnFAd+2UECZZLQ0gJrDpFcbDisuhmp5bTKUS
1RpIxarNeacH2klRY4efeqQdVgaghgs+zMN44iz+YGs8uELElKErOabEtoYiTJmsVnqEcs8fUvKx
LLdZevPhh89v0MJiZI9gTjjt/f9N+NEUzyJsHfxqmnUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
RZo42X1gDE3d9xnftXr2LoUItdTQeVoFdkIJIqJla21kDRCwHis2OvuFwOW+QdUeh5uUIjGxbhaA
cQIeJUvuD1aEK/ynUDKGA0jvdLR7IbwTK69i7c19F7pti6b5sq8yjl5fOavit1N3INIzZdkrPlP1
hJnKcjOSVyMPv8a7rDXOtXxDoZgi+pWj0qlp4E9tKOrWJgKdjS8j03ulWwtOx4Jak4yYueaY8nH1
+amyE6w96Qm6ScEGLcxXzboczS7BMjZ0M4Mr6zXOTS8pU+AX6NBmdNkdwO9JSeXm3U6lRWv59jet
qMeKqf4aKRg+oqbw9hkH3X6qT69AeEiPz6YPmQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ONELOGIN_23e56e9e-99e6-449f-ace2-67002e6fcc91"
NotOnOrAfter="2019-02-06T13:51:48.185Z" Recipient="https://192.168.x.x:31443/appviewx/ssoLogin"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2019-02-06T13:41:48.185Z" NotOnOrAfter="2019-02-06T13:51:48.185Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>https://192.168.x.x:31443/appviewx/</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2019-02-06T13:46:46.836Z"
SessionIndex="ONELOGIN_23e56e9e-99e6-449f-ace2-67002e6fcc91"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="EmailId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">saml</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">appviewx</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="NameID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">0</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">oktarole</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
The data in bold contains the attributes passed to AppViewX for a successful login. If this data is not passed in assertion, the assertion must be revisited.
Vendors Certified with AppViewX
AppViewX has been certified with the below SAML 2.0 enabled SSO vendors:
- Okta
- OneLogin
- ADFS
- Forgerock
- Idaptive
- Azure
- PingIdentity
