--- title: "Troubleshooting SimpleSAML" date: "2022-02-24T18:55:26+00:00" summary: image: type: "article" url: "/acquia-cloud-platform/help/92471-troubleshooting-simplesaml" id: "c6bc23cd-9b7c-4bce-ae04-8b881f399938" --- Issue ----- SimpleSAML installation and usage can be tricky, and when set up incorrectly it can cause a number of problems. Resolution ---------- **_Note: This article is for the Drupal 7 module._** The first step in troubleshooting is to turn on debugging. Edit the `config.php` file and set `debug` to `TRUE` then set `logging.level` to `LOG_DEBUG`. The logs will be written to `/var/log/sites/[site].[env]/logs/[servername]/simplesamlphp-YYYYMMDD.log` The `php-errors.log` in the normal log location may be helpful too if there is a misconfiguration or typo in any of the config files that is causing a php error. Often, you can look in the kvstore table to figure out what SimpleSAMLphp has actually done with the request it’s parsed out, and that’s always stored in there. Be sure to check the SAMLSession cookie, because you’ll need it to check in the kvstore table. ### Working with Error Messages SAML can present a number of errors, with different causes and solutions. * **StatusCode - urn:oasis:names:tc:SAML:2.0:status:Requester** This usually means that there is a configuration problem on the SP’s part, but the IdP isn’t providing any more information as part of that request. Ask the IdP for their logs regarding the request so you can start to determine what is misconfigured. * **Missing Attributes** Sometimes, the IdP won’t send back the attributes required to identify the user. This is usually caused by a misconfiguration on the IdP side of things. Typically this will present itself as a 500 error a record in watchdog. The SAMLSession cookie will be present in an authenticated user’s session, which you can then use to go look up the session information in SimplesSAMLphp’s `kvstore` table. Once you deserialize it, you can go look to see if the attributes are in there. If not, you’ll need to discuss with the IdP to determine why they aren’t sending them. * **Attributes with a missing FriendlyName parameter** This could be the case when there are attributes coming, but they don’t have the `FriendlyName` parameter. You can determine this in the same way you'd figure out if another parameter was missing (see previous bullet.) To fix this, configure the Simplesamlphp\_Auth module’s configuration settings to be the absolute name of the parameter, which is a urn that should never change. * **Page caching breaks custom login flow** You can see this if you're using IdP initiated SSO, and expecting any page to pick up the SAML login flow. Basically, SimpleSAMLphp\_auth uses `hook_init` to do a lot of set up work (this needs to change), and if Drupal page cache is enabled it won’t work. * **The Certificate File could not be loaded** When you see an error like this, the configuration is usually in the wrong file, or the config variable is pointing to the wrong file. There is also the possibility that `redirect.sign` is not set and the IdP is expecting a signed request or it’s sending back a signed request.