When setting up KMS for Single Sign On (SSO) using SAML, you may encounter some issues. This section describes several issues that you may be able to resolve following the instructions provided herein.
Prerequisites
This guide assumes that:
- You are familiar with the SAML 2.0 protocol and set up process.
- You are testing the SSO for the first time.
- You have basic familiarity with Kaltura MediaSpace (KMS).
Verifying the Integration
After you set up SSO, login to MediaSpace. The expected result is a successful login. Your user ID or user name should appear on the upper right corner of KMS.
What else should you verify?
Look at the userId / user name on the upper right corner, and in MediaSpace admin (/admin/user-list).
- Does the userId that you received match the expected one?
- If not, make sure that the userId attribute is released in the SAML response.
- Make sure that the userId attribute is mapped correctly.
- Did you release and map any additional attributes?
- If so, make sure that the user has the expected additional information (first name, last name, email address).
- Was the user assigned the expected role?
- A user should get the default role that you set when you configured MediaSpace SAML module.
- If you also configured role mapping (assignment of MediaSpace role per the value(s) of attribute(s)), check if the user received the expected role. If not, double check that the attribute is released, and that the attribute name and expected value are matching the ones in the SAML response. Values are case sensitive.
In some cases, login may fail. From an end user perspective, this might look like an “application error” page on the MediaSpace side, or a redirect loop.
If the error occurs on the IdP side, or before the browser is redirected back to MediaSpace, please check the error on the IdP side.
When login fails, please use web tracking tools (SAML Tracer for FireFox, Fiddler, Charles, and Chrome dev tools are a few examples that can be used for this task), and look at the http response headers of https://{your_KMS_UR}/user/authenticate.
Use the Error Codes and Description table to assist you in locating and understanding the error.
Error Codes and Description
The following table provides a list of the error code IDs, message and a description.
Error Code | Description | Suggested Actions |
1001 | Failed to get data entry (failed to load the SAML configuration). | Clear the MediaSpace cache, refresh the admin and try again. Contact customer care if the issue persists. |
1002 | METADATA_FOR_ENTITY_NOT_FOUND You accessed MediaSpace or redirected the user to the wrong domain. | Please make sure to access MediaSpace via the domain that you defined in spMetadata -> host. |
1003 | INVALID_MESSAGE_ASSERTION_CONSUMER_SERVICE_ENDPOINT Your IdP returned an invalid SAML response. | Please check the SAML response, and proceed accordingly. |
1004 | MISSING_ISSUER_ASSERTION_CONSUMER_SERVICE_ENDPOINT Missing <saml:Issuer> in the SAML response as posted to the AssertionConsumerService. | Configure your IdP to release <saml:Issuer> |
1005 | MULTIPLE_ASSERTIONS_IN_RESPONSE More than one assertion in received response. | |
1006 | RESPONSE_STATUS_NOT_SUCCESS | Check the SAML Response, check the IdP logs to see what made it fail the SAML response. SAML response must be of status: Success for the login to succeed. |
1007 | RESPONSE_EMPTY_USER_ID SAML response contains empty user ID or no name ID in the SAML response subject. | Please add an IdP rule to release a nameId attribute. You can adjust the requested nameId format in the SAML request per your IdP's preference. |
1010 | Exception other | Look for the error message in the header and proceed accordingly. |