SAML SSO 201

Previously I had spoke about the basics of a certain flavor of SSO (Single Sign On) which was SAML (Security Assertion Markup Language)

Today, I am diving a bit further and exploring the common errors that may be encountered while configuring this technology.

Many misconceptions occur where the belief is that the error is almost always due to a misconfiguration on the IdP (Identity Provider) or SP (Service Provider), which may be the case, but it is important to remember that there are other items that should be checked as well.

I found an excellent reference from WorkOS which mentions some common pitfalls: https://workos.com/blog/decoding-and-solving-the-five-most-common-saml-errors

However, wanted to chat about certificates which at times are easily overlooked and missed when troubleshooting.

If the dreaded 500 Internal Server Error is encountered, the first thing that should be checked is the SAML Signing Algorithm on the IdP. Typically there are two options SHA-1 or SHA-256.

At a high level, SHA-256 is much more secure, which in turn has higher requirements.

A quick troubleshooting step would be to change the SAML Signing Algorithm to SHA-1 as a testing mechanism, if this works it is a certificate issue.

There is good news, Microsoft allows for certificates to be converted and/or upgraded from the deprecated algorithm by using the CertUtil command, however, this should always be tested extensively before using it in a Production environment.