Testing and Troubleshooting SAML Authentication
Pre-Requisites
Once the following steps are completed from the initial configuration, you're ready for testing:Â
Provide metadata to Ready Education
Added Ready Education as a Service ProviderÂ
Configured IDP to Release the Required Attributes
Have a Test User with the required attributes
Ready Education confirmed they've uploaded your metadata into their system
Testing in Browser
Open the SSO URL provided by Ready Education (e.g. http://integration.oohlalamobile.com/saml/<schoolname>) in a browser. This link will be provided by your Activation Manager.
Open your SAML inspector (right-click → "Inspect" → "SAML").
Note: You will need to install the following extension for this: SAML Chrome Panel
Login with your user account or a test user account.
SSO Verification Process
Step 1
If the test credentials are correct, you will be a page that looks like the one below:
Blank Payload Page
CONGRATULATIONS, you've passed Step 1! You're ready to skip ahead to Step 3: Verify Attribute Statement.Â
Â
Step 2: 500 Error Page
If the SSO configuration is incorrect, you will likely see a 500 server error page, like below.
ERROR: Review the SAML response and compare to common 500 errors.
Â
Common 500 Errors
1. NameID
In the SAML response, there should be a line that contains NameID in the following format:
<nameid Format="urn:oasis:names🇹🇨SAML:2.0:nameid-format:persistent">map9999
Issues:
No NameID line
Incorrect format (not set to persistent)
Incorrect position in the SAML response
Â
2. URLs
In the SAML response, the below URLs should be visible and in the correct format:
Destination URL (ASC)
Destination="<https://integration.oohlalamobile.com/saml/readyU/assertion>"
Recipient URL
Recipient="<https://integration.oohlalamobile.com/saml/readyU/assertion>"Â
Audience URL
<https://integration.oohlalamobile.com/saml/readyU/metadata>Â
Issues:
Lines do not match the above format
Usually these URLs will be automatically loaded from the metadata into the SSO instance, but they may need to be manually entered for some providers. See example below.
Example of URLs in OneLogin:
Login URL:Â https://integration.oohlalamobile.com/saml/schoolname
ACS URL:Â https://integration.oohlalamobile.com/saml/schoolname/assertion
SAML Audience:Â https://integration.oohlalamobile.com/saml/schoolname/metadata
SAML Recipient:Â https://integration.oohlalamobile.com/saml/schoolname/assertion
3. x509 Certificate
In the SAML response, the x509 certificate should match the certificate from the metadata file.
Issues:
x509 certificate does not match
Step 3: Verification of Matching Attributes
Compare the SAML Attribute Statement with the expected values for the Test User. Ready Education expects:Â
Required:Â
firstNameÂ
lastName
emailAddress
The attributes must match our accepted naming formats. The above are accepted formats. For more options, refer to the metadata provided to you. Â
(Optional): If your Ready Education contract includes Student Information System (SIS) or Learning Management System (LMS) integrations, we also require these attributes to be released:Â
sis_idÂ
lms_id
The accepted naming format for these two attributes are: sis_id and lms_id.Â
Example SAML Response
The below SAML Response has all the required attributes and follows the accepted naming convention. This will successfully authenticate into the Ready App:
firstName:  <saml:Attribute Name="firstName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">Katherine</saml:AttributeValue>
      </saml:Attribute>
Â
lastName:       <saml:Attribute Name="lastName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">Kangaroo</saml:AttributeValue>
      </saml:Attribute>
Â
emailAddress:       <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">kkangaroo14@readyu.edu</saml:AttributeValue>
      </saml:Attribute>
Â
sis_id (optional):       <saml:Attribute Name="sis_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">0111111</saml:AttributeValue>
      </saml:Attribute>
Â
lms_id (optional):       <saml:Attribute Name="lms_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">kkangaroo14</saml:AttributeValue>
      </saml:Attribute>
Â
Â
Here is the full SAML Subject + Attribute Statement:Â
<saml:Subject>
      <saml:NameID Format="urn:oasis:names🇹🇨SAML:2.0:nameid-format:persistent"
        NameQualifier="https://login.schoolname.edu/nidp/saml2/metadata"
        SPNameQualifier="https://integration.oohlalamobile.com/saml/schoolname/metadata">rHPubvSgJCyTodSE8KDahPqs3orwptGPyKHkOA==</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names🇹🇨SAML:2.0🇨🇲bearer"><saml:SubjectConfirmationData InResponseTo="ONELOGIN_339e62743fb901879631d019592d279c501f2a03"
        NotOnOrAfter="2020-03-26T20:35:49Z"
        Recipient="https://integration.oohlalamobile.com/saml/schoolname/assertion"/></saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2020-03-26T20:25:49Z" NotOnOrAfter="2020-03-26T20:35:49Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://integration.oohlalamobile.com/saml/schoolname/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2020-03-26T20:30:48Z"
      SessionIndex="idHoD4pcQ_VLFir28os8egurnMdhI">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names🇹🇨SAML:2.0🇦🇨classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="firstName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">Katherine</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="lastName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">Kangaroo</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">kkangaroo14@readyu.edu</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="NameID" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">kkangaroo14@academic.readyu.edu</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="FriendlyName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">Katey Kangaroo</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sis_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">0111111</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="lms_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:AttributeValue xsi:type="xs:string">kkangaroo14</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>