Testing and Troubleshooting SAML Authentication (1)

Pre-Requisites

Once the following steps are completed from the initial configuration, you're ready for testing: 

• Provide metadata to Ready Education

• Added Ready Education as a Service Provider 

• Configured IDP to Release the Required Attributes

• Have a Test User with the required attributes

• Ready Education confirmed they've uploaded your metadata into their system

Testing in Browser

1. Open the SSO URL provided by Ready Education (e.g. http://integration.oohlalamobile.com/saml/<schoolname>) in a browser. This link will be provided by your Activation Manager.

2. Open your SAML inspector (right-click → "Inspect" → "SAML").

   Note: You will need to install the following extension for this: SAML Chrome Panel

3. Login with your user account or a test user account.

SSO Verification Process

Step 1

If the test credentials are correct, you will be a page that looks like the one below:

Blank Payload Page

CONGRATULATIONS, you've passed Step 1! You're ready to skip ahead to Step 3: Verify Attribute Statement. 

Step 2: 500 Error Page

If the SSO configuration is incorrect, you will likely see a 500 server error page, like below.

ERROR: Review the SAML response and compare to common 500 errors.

Common 500 Errors

1. NameID

In the SAML response, there should be a line that contains NameID in the following format:

<nameid Format="urn:oasis:names🇹🇨SAML:2.0:nameid-format:persistent">map9999

Issues:

• No NameID line

• Incorrect format (not set to persistent)

• Incorrect position in the SAML response

2. URLs

In the SAML response, the below URLs should be visible and in the correct format:

Destination URL (ASC)

Destination="<https://integration.oohlalamobile.com/saml/readyU/assertion>"

Recipient URL

Recipient="<https://integration.oohlalamobile.com/saml/readyU/assertion>" 

Audience URL

<https://integration.oohlalamobile.com/saml/readyU/metadata> 

Issues:

• Lines do not match the above format

Usually these URLs will be automatically loaded from the metadata into the SSO instance, but they may need to be manually entered for some providers. See example below.

Example of URLs in OneLogin:

• Login URL: https://integration.oohlalamobile.com/saml/schoolname

• ACS URL: https://integration.oohlalamobile.com/saml/schoolname/assertion

• SAML Audience: https://integration.oohlalamobile.com/saml/schoolname/metadata

• SAML Recipient: https://integration.oohlalamobile.com/saml/schoolname/assertion

3. x509 Certificate

In the SAML response, the x509 certificate should match the certificate from the metadata file.

Issues:

• x509 certificate does not match

Step 3: Verification of Matching Attributes

Compare the SAML Attribute Statement with the expected values for the Test User. Ready Education expects: 

Required: 

• firstName 

• lastName

• emailAddress

The attributes must match our accepted naming formats. The above are accepted formats. For more options, refer to the metadata provided to you.  

(Optional): If your Ready Education contract includes Student Information System (SIS) or Learning Management System (LMS) integrations, we also require these attributes to be released: 

• sis_id 

• lms_id

The accepted naming format for these two attributes are: sis_id and lms_id. 

Example SAML Response

The below SAML Response has all the required attributes and follows the accepted naming convention. This will successfully authenticate into the Ready App:

firstName:  <saml:Attribute Name="firstName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:AttributeValue xsi:type="xs:string">Katherine</saml:AttributeValue>
            </saml:Attribute>

lastName:             <saml:Attribute Name="lastName" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:AttributeValue xsi:type="xs:string">Kangaroo</saml:AttributeValue>
            </saml:Attribute>

emailAddress:             <saml:Attribute Name="emailAddress" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:AttributeValue xsi:type="xs:string">kkangaroo14@readyu.edu</saml:AttributeValue>
            </saml:Attribute>

sis_id (optional):            <saml:Attribute Name="sis_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:AttributeValue xsi:type="xs:string">0111111</saml:AttributeValue>
            </saml:Attribute>

lms_id (optional):             <saml:Attribute Name="lms_id" NameFormat="urn:oasis:names🇹🇨SAML:2.0:attrname-format:uri"
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <saml:AttributeValue xsi:type="xs:string">kkangaroo14</saml:AttributeValue>
            </saml:Attribute>

Here is the full SAML Subject + Attribute Statement: