SAML Troubleshooting & Checklist
Use this list to quickly narrow down typical SAML failures. Compare logs with metadata and fix one by one.
⏱️ Time Drift
If clocks are off, NotBefore/NotOnOrAfter checks fail and the response is treated as invalid even if the signature is fine.
Checks
- NTP is synced on both IdP and SP.
- Timezones are as expected.
- Inspect NotBefore / NotOnOrAfter values in logs.
🎯 Audience / ACS Mismatch
The response is considered for a different SP, so the receiver rejects it as not intended for them.
Checks
- Audience matches the SP’s expected EntityID.
- AssertionConsumerService URL and Binding match metadata.
- No mix-up between staging and production URLs.
🔗 Binding / Deflate Issues
Different transport or compression expectations cause decoding/signature verification to fail.
Checks
- Redirect/POST/Artifact choices match on both sides.
- Deflate compression for Redirect is aligned.
- Signature requirements are consistent between IdP and SP.
🧯 HTTP 400 / 500 Errors
Malformed messages, signature issues, or wrong endpoints lead to requests being rejected with 4xx/5xx.
Checks
- Base64 decode/Deflate expansion errors in logs.
- Certificate expiration or mismatch errors.
- Requests sent to unexpected endpoints (typos).