Symptoms
User fails to login with SAML, error Logon using SAML failed. Error: Failed to match AD User. (0X00000006) is thrown.
[E 72/00000006/T0340/P04C8] 26-03-20 11:41:51 - SAML - User:'aaa@xxx.yyy.zzz' - Failed to find AD user for aaa@xxx.yyy.zzz
[E 0E/0000002C/T0340/P04C8] 26-03-20 11:41:51 - SAML: Failed to Identify User from Assertion
[T 00/00000000/T0340/P04C8] 26-03-20 11:41:51 - Error Msg: Logon using SAML failed. Error: Failed to match AD User. (0X00000006)
Cause
Incorrect SAML attribute in RAS settings:
Resolution
Check what exactly attributes are sent in IdP response:
- Right in browser: https://confluence.atlassian.com/jirakb/how-to-view-saml-responses-in-your-browser-for-troubleshooting-872129244.html
- Or from L5 controller.log (only for unencrypted assertions): find record starting with
NEWAUTH_XML_PACKET RECEIVED 5. <?xml version="1.0" encoding="UTF-8"?><RootXML xmlns:dt="urn:schemas-microsoft-com:datatypes"><Prov><Type xml:space="preserve" dt:dt="string">SAML</Type><Method><Name xml:space="preserve" dt:dt="string">SAML</Name><Data><SAMLIdPUser xml:space="preserve" dt:dt="string">
Copy the text in SAMLAssertion tag to online Base64 decoder, decode it and look for Attribute tags, they look like this:
<Attribute Name="givenname"><AttributeValue>aaa</AttributeValue></Attribute>
<Attribute Name="surname"><AttributeValue>bbb</AttributeValue></Attribute>
<Attribute Name="name"><AttributeValue>aaa@xxx.yyy.zzz</AttributeValue></Attribute>
Figure out the right name of the attribute (name in this particular case) and adjust SAML Attribute name in RAS accordingly to it:
Was this article helpful?
Tell us how we can improve it.