Troubleshooting SAML

When configuring or updating your SAML authentication configuration, you may experience some setup errors.  Troubleshooting and correcting these issues can be highly technical; we recommend involving your IT or Technical teams when configuring or updating SAML.


Common Errors & Recommended Troubleshooting 


Error: "SAML Response not found, Only supported HTTP_POST Binding”

Solution: This error is generally not related to the SAML response attributes, rather, how the SAML response is returned to Formstack. The library we use only supports the identity provider sending the SAML response in a POST request back to the Formstack ACS URL. If you look at the SP metadata XML file that Formstack provides, in our SPSSODescriptor element, we have the AssertionConsumerService element which specifies the binding attribute as "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" which indicates that we expect the response as a POST variable.


Error: “Username already exists for this authentication provider”

Solution: This usually means an existing account has another authentication method enabled. If so, the user should sign in using that method (such as email and password).

This error message can also be received if the Username Attribute of their SAML credentials doesn’t match the username of their account. If so, the user can update the attribute at their identity provider (for instance, back to the old value if it had been previously updated).  


Error: "Error: Failure decrypting data”

Solution: This typically means the XML response sent back to Formstack is invalid. Additionally, this may also indicate that the x509 certificate is not up to date or accurate. 


Error: "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"

Solution: This usually means that on the Auth Provider side, an email address is missing or not coming through in the response. If you are on AD/ADFS then you may need to add a claim with E-Mail Address (for example). 

If you have an alternative provider that is going through SAML, you will need to make sure the response contains the email address.  This needs to come across as the “Name ID” in the SAML response.


Error: "ERROR: Unable to authenticate: invalid_response, The status code of the Response was not Success, was Requester"

Solution: This is a generic error that occurs when we are unable to parse the response that we receive back and usually means that there was some kind of error on or bad data that has been sent back.

Errors like this generally occur with SAML and in these cases, the XML sent back is not like a regular response, rather it may have been configured to hit a webpage instead of sending back the correct XML SAML response.


Error: "Reference Validation Failed"

Solution: Formstack may be receiving a response from a server or domain that was not expected. It’s likely there is a misconfiguration in the settings, however, it may also be a response from Auth Provider not expecting a request from Formstack. We recommend checking your settings to ensure the host/domain is correct.

Was this article helpful?
3 out of 7 found this helpful