SimpleSAML installation and usage can be tricky, and when set up incorrectly it can cause a number of problems.
Note: This article is for the Drupal 7 module.
The first step in troubleshooting is to turn on debugging. Edit the config.php file and set debug to TRUE then set logging.level to LOG_DEBUG. The logs will be written to /var/log/sites/[site].[env]/logs/[servername]/simplesamlphp-YYYYMMDD.log
The php-errors.log in the normal log location may be helpful too if there is a misconfiguration or typo in any of the config files that is causing a php error.
Often, you can look in the kvstore table to figure out what SimpleSAMLphp has actually done with the request it’s parsed out, and that’s always stored in there. Be sure to check the SAMLSession cookie, because you’ll need it to check in the kvstore table.
SAML can present a number of errors, with different causes and solutions.
This usually means that there is a configuration problem on the SP’s part, but the IdP isn’t providing any more information as part of that request. Ask the IdP for their logs regarding the request so you can start to determine what is misconfigured.
Sometimes, the IdP won’t send back the attributes required to identify the user. This is usually caused by a misconfiguration on the IdP side of things. Typically this will present itself as a 500 error a record in watchdog.
The SAMLSession cookie will be present in an authenticated user’s session, which you can then use to go look up the session information in SimplesSAMLphp’s kvstore table. Once you deserialize it, you can go look to see if the attributes are in there. If not, you’ll need to discuss with the IdP to determine why they aren’t sending them.
This could be the case when there are attributes coming, but they don’t have the FriendlyName parameter. You can determine this in the same way you'd figure out if another parameter was missing (see previous bullet.) To fix this, configure the Simplesamlphp_Auth module’s configuration settings to be the absolute name of the parameter, which is a urn that should never change.
You can see this if you're using IdP initiated SSO, and expecting any page to pick up the SAML login flow. Basically, SimpleSAMLphp_auth uses hook_init to do a lot of set up work (this needs to change), and if Drupal page cache is enabled it won’t work.
When you see an error like this, the configuration is usually in the wrong file, or the config variable is pointing to the wrong file. There is also the possibility that redirect.sign is not set and the IdP is expecting a signed request or it’s sending back a signed request.
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Wed Oct 22 2025 08:59:29 GMT+0000 (Coordinated Universal Time)