Topic
Error message seen post user login:
- "Error Code 300: The mapping for your IdP SAML attributes is incorrect. Check the IdP configuration for the account {{email}} and ensure that both "Given Name" and "Surname" are provided."
- "Error Code 305: The mapping for your IdP SAML emailAddress attribute is incorrect. Check your IdP configuration."
Instructions
How to check
- Reproduce the issue and capture HAR logs as per this video https://www.youtube.com/watch?v=jD03MjzZL6U
- Load up the captured HAR file in a HAR analyzer.
- Set to show `All Entries` and look for a network request that should be a `POST` http operation to a `../SAML` endpoint.
- Under the request `Post Data` look for the `SAMLResponse` post field.
- Copy the full SAMLResponse and decode it using a tool like https://www.samltool.com/decode.php
- Copy the deflated XML and XML lint/format it for better readability.
- Look for the `<AttributeStatement>` section, it will look something like this below
```
<AttributeStatement>
...
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname/">
<AttributeValue>User FirstName</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname/">
<AttributeValue>User LastName</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress/">
<AttributeValue>User Email address</AttributeValue>
</Attribute>
</AttributeStatement>
```
- What needs to be checked:
- Make sure the Attribute Name attribute contains the correct mapping for the 3 properties NAC expects:
- Make sure the `<AttributeValue>` element contains the values sent over from the customer's IdP.