About
This guide helps you diagnose and resolve common SAML-related login problems in the Video Portal. It’s intended for admins who already completed their SAML integration and are testing authentication for the first time.
Before you start
Make sure:
- You’re familiar with SAML 2.0 basics.
- Your IdP configuration is complete.
- You can access the Video Portal’s Configuration Management console.
Verifying the Integration
Log in to the Video Portal using SAML. If the integration is working, you should see your user ID in the top-right corner.
What else should you verify?
Look at the userId / user name on the upper right corner, and in Video Portal Configuration Management console (/admin/user-list).
- Does the userId that you received match the expected one?
- If not, make sure that the userId attribute is released in the SAML response.
- Make sure that the userId attribute is mapped correctly.
- Did you release and map any additional attributes?
- If so, make sure that the user has the expected additional information (first name, last name, email address).
- Was the user assigned the expected role?
- A user should get the default role that you set when you configured the SAML module.
- If you also configured role mapping (assignment of Video Portal role per the value(s) of attribute(s)), check if the user received the expected role. If not, double check that the attribute is released, and that the attribute name and expected value are matching the ones in the SAML response. Values are case sensitive.
In some cases, login may fail. From an end user perspective, this might look like an “application error” page on the MediaSpace side, or a redirect loop.
If the error occurs on the IdP side, or before the browser is redirected back to MediaSpace, please check the error on the IdP side.
When login fails, please use web tracking tools (SAML Tracer for FireFox, Fiddler, Charles, and Chrome dev tools are a few examples that can be used for this task), and look at the http response headers of https://{your_KMS_UR}/user/authenticate.
Error codes and description
The following table provides a list of the error code IDs, message and a description.
| Error Code | Description | Suggested Actions |
|
1001 |
Failed to get data entry (failed to load the SAML configuration). | Clear the MediaSpace cache, refresh the admin and try again. Contact customer care if the issue persists. |
| 1002 | METADATA_FOR_ENTITY_NOT_FOUND
You accessed MediaSpace or redirected the user to the wrong domain. |
Please make sure to access MediaSpace via the domain that you defined in spMetadata -> host. |
| 1003 | INVALID_MESSAGE_ASSERTION_CONSUMER_SERVICE_ENDPOINT
Your IdP returned an invalid SAML response. |
Please check the SAML response, and proceed accordingly. |
| 1004 | MISSING_ISSUER_ASSERTION_CONSUMER_SERVICE_ENDPOINT
Missing <saml:Issuer> in the SAML response as posted to the AssertionConsumerService. |
Configure your IdP to release <saml:Issuer> |
| 1005 | MULTIPLE_ASSERTIONS_IN_RESPONSE
More than one assertion in received response. |
|
| 1006 | RESPONSE_STATUS_NOT_SUCCESS | Check the SAML Response, check the IdP logs to see what made it fail the SAML response. SAML response must be of status: Success for the login to succeed. |
| 1007 | RESPONSE_EMPTY_USER_ID
SAML response contains empty user ID or no name ID in the SAML response subject. |
Please add an IdP rule to release a nameId attribute. You can adjust the requested nameId format in the SAML request per your IdP's preference. |
| 1010 | Exception other | Look for the error message in the header and proceed accordingly. |
