Solved

SAML response missing required custom identifier.

  • 3 February 2024
  • 9 replies
  • 74 views

Badge +1

Hello,

I'm getting this error when trying to set up my ADFS as IDP “SAML response missing required custom identifier.”. I followed the step-by-step instructions from the support website on:

https://help.lucid.co/hc/en-us/articles/360049900431-Integrate-Lucid-SAML-SSO-with-Active-Directory-Federation-Services-ADFS

There seem to be having some conflicting information between the instructions and what I receive in the meta-data file what I imported to my adfs. Is the above document up-to-date?

icon

Best answer by Leianne C 9 February 2024, 07:44

View original

Comments

Userlevel 4
Badge +14

Hi @ak-wisam, thank you for posting in the community! 

Some SAML implementations do not use the NameId field to identify a user. If this applies to your configuration, you will need to enter the attribute name of your organization's unique identifier in the ‘ID Attribute name’ field found in the ‘Advanced’ section of your SAML settings page; otherwise leave this field blank. If this is incorrect, users will not be able to log into their accounts. 

Would you mind confirming the above and let me know if you still experience the same issue? Feel free to let me know if you have any questions! 

Badge +1

Hello Leianne C,

Thank you for your help. Unfortunately, this does not resolve my issue, the text you sent me is exactly what's written in the advance settlings tab which I've already seen.

As mentioned in my previous post, I diligently followed the step-by-step instructions from your website (Integrate Lucid SAML SSO with Active Directory Federation Services (ADFS)), resulting in a configuration that closely resembles what is provided on your support website. Could you kindly verify if these instructions remain current and up-to-date? If not, could you direct me to the correct set of instructions that I should follow?

After attempting the aforementioned steps without success, I proceeded to explore various alternative configurations in an effort to resolve the issue. Upon reviewing your meta-data service provider file, I noticed that you are requesting a specific format for attribute names.


 <md:RequestedAttribute Name="User.LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
<md:RequestedAttribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
<md:RequestedAttribute Name="User.email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />


Consequently, I adjusted the format accordingly, but unfortunately, this did not yield the desired results. Is there a log file available for me to consult, allowing me to pinpoint the exact issue with your service provider? Alternatively, could you provide a clear specification of the attributes and attribute names required for my claim?

 

Furthermore, on my ADFS “ID Attribute name”  is the standard name in format as “NameID”
 

 

 

Badge +1

What I need to know, specifically, is the Attribute mapping. What are the "Attributes Names" that you require my IDP to send you in my "SAML:Response"? for example to access Salesforce I need to send the following attributes to their SAML SP:

 

Badge +1

Hello Lucid Team,


I wanted to touch base regarding my previous email/post and our discussion from a couple of days ago about integrating Lucidchart Single Sign-On (SSO) with our current ADFS IdP. Could you please update me on any progress made or if this particular scenario is not compatible with your SAML SSO service as a provider?

Thank you for your attention to this matter.

 

Best Regards

Sys Admin

Userlevel 4
Badge +14

Hi @ak-wisam, thank you for following up and sorry for the delay as I checked with our internal teams for addition insight! 

I can see that you have also submitted a support ticket for this issue and it has been transferred to the correct team. Someone should reach out to you shortly to further assist.

In the meantime to help troubleshoot, could you please also try removing the ‘NameID’ that you’ve added to the ‘ID Attribute Name’ field in advanced - leaving this field blank? 

Regarding the attribute statement we are expecting, I would recommend checking this SAML Overview article for some additional information. 

Hope this helps! Please let me know if you see any changes after trying the above step, or if you have any additional questions. Thank you!

Badge +1

Hello Leianne,

Thank you for your assistance. Unfortunately, I haven't received a response to my second question from the support team. Therefore, I'm turning to community support in hopes of getting a quicker answer.

It appears that removing the "NameID" from the "ID Attribute Name" field in the advanced settings and leaving it blank resolved the issue. Interestingly, this field was pre-populated when I began the SAML configuration. For troubleshooting purposes, I later modified it by capitalizing some of the letters to align with the naming convention used by ADFS. But I'm glad the login and user provisioning is it working now👍🏼

I have a couple more questions: First, on the configuration page, there's a button linked to "Test SAML connection," but it always seems to return an error stating, "Invalid SAML response. Please try again. If the problem persists, contact support." Looking at the debug window from the web browser, I see a response from you (SP, the service provider) stating "<samlp:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy' />." Do you, or someone you know, have any insight into why this error message appears even though it allows me to log in successfully?

Second, is it possible to control user access and assign roles based on the ADFS information provided (such as ROLE or GROUP membership), or do I need to manually update the user's role and group membership in Lucidchart after their initial login?

Lastly, I would like to specifically inquire about attribute mapping. Could you provide me with the names of the "Attributes" that you require or accept from my IDP to be included in my "SAML:Response"?

1- <md:RequestedAttribute Name="NameID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:emailAddress" /> 
2- <md:RequestedAttribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
3- <md:RequestedAttribute Name="User.LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
4- <md:RequestedAttribute Name="User.email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" /> 

 

Thanks

-Wisam

 

 

Userlevel 4
Badge +14

Thank you for the update, @ak-wisam. I’m glad to hear that removing the "NameID" from the "ID Attribute Name" field in the advanced settings helped resolve the issue! 🙌

Regarding the "Invalid SAML response.” error your received, could you please try this in a private or incognito window and confirm if you are still seeing the same error? Would you mind also confirming if you are using encrypted assertions when trying this? 

For the 2nd and 3rd questions, please bear with me as I confirm this with our team. I will share more information on this as soon as I am able to. 

Thanks in advance for your help and patience. Please let me know if you have any additional questions in the meantime! 

Badge +1

Thank you for your feedback, Leianne,

Unfortunately, it seems my initial assessment was too hasty. My initial confirmation yesterday of functionality was based on tests with my own account, which holds a "Team Admin" role. However, as of this morning, none of my team members have been able to log into their accounts using SSO. Interestingly, when trying to log in with a brand new account that wasn't previously registered on LucidChart, the account was successfully created in LucidChart. Despite this, the user received a SAML error message and was not able to complete the login process. For troubleshooting, I elevated the user's role to "Team admin," which then allowed the user to log in successfully. Could you shed some light on why SSO login seems to be limited to admin accounts?

Additionally, we're facing a separate issue with the account of my colleague, who is the "Account Owner." He is also unable to log in via SSO. This problem seems to stem from his registered email address and user ID being initially set up as @xxxxx.com instead of @xxxxx.net, which conflicts with the SSO Name ID attributes being sent as .net. Unfortunately, our attempts to change the email address have been unsuccessful. Despite following various methods and receiving a prompt that the settings have been accepted, the email address remains unchanged. After clicking submit, there is no further action or confirmation, and the email update does not take effect.

Best regards, Wisam 

Userlevel 4
Badge +14

Hi @ak-wisam! It looks like someone from our Implementation team has received your request and should reach out to you shortly to assist with your questions, and ADFS configuration. Please refer to that email for further correspondence.

Please don’t hesitate to let us know if there is anything else we can do to assist. Cheers!  

Reply