Skip to content

Portal - SSO Login Failure

This guide covers SSO (Single Sign-On) login failures occur when users cannot authenticate through their identity provider (IdP) when attempting to access Privacera Portal. This can be caused by configuration issues, certificate problems, network connectivity issues, or IdP-specific problems.

1. Login Attempt Failed: Your account is currently disabled

Error Message: "Your account is currently disabled" (This error appears on the portal login screen)

Root Cause

The user account exists in Privacera Portal but has been deactivated or suspended by an administrator. This typically happens when:

  • An administrator manually disabled the user account
  • The account was automatically suspended due to security policies
  • The user's access permissions were revoked

Solution

Step 1: Check User Status

  • Access Privacera Portal as an administrator
  • Navigate to Settings → User Management
  • Look for the user account and check its status

Step 2: Reactivate User Account

  • Have an administrator reactivate the user account through Privacera Portal UI
  • Ensure the user has appropriate roles and permissions assigned

2. SAML Assertion Validation Errors - Username Attribute Missing

Error Message: "Either the UserID attribute or its value was not found in the SAML assertion." (This error appears on the portal login screen)

Root Cause

The SAML assertion from IdP doesn't contain the expected username attribute configured in Privacera Portal. This occurs when:

  • IdP is not sending the required username attribute in the SAML response
  • The attribute name in IdP doesn't match the configured attribute name in Privacera

Solution

Step 1: Verify Current SAML Configuration

Bash
1
2
3
4
5
6
7
8
9
# Check Current Configuration** (run on jump server):

# Option 1: Check primary SAML configuration file
cd ~/privacera/privacera-manager
cat config/custom-vars/vars.portal.saml.aad.yml | grep -i "SAML_.*_ATTRIBUTE"

# Option 2: Check alternative SAML configuration file if present
cd ~/privacera/privacera-manager
cat config/custom-vars/vars.portal.yml | grep -i "SAML_.*_ATTRIBUTE"

Step 2: Update Configuration to Match IdP

YAML
1
2
3
4
5
# Configure these attributes to match your IdP
SAML_USERNAME_ATTRIBUTE: "UserId"      # Must match IdP username attribute
SAML_EMAIL_ATTRIBUTE: "Email"          # Must match IdP email attribute  
SAML_FIRSTNAME_ATTRIBUTE: "FirstName"  # Must match IdP first name attribute
SAML_LASTNAME_ATTRIBUTE: "LastName"    # Must match IdP last name attribute

Step 3: Verify IdP Configuration

  • Ensure the IdP sends the correct username attribute in SAML assertion
  • Check that the attribute names match between IdP and Privacera configuration

3. Invalid Assertion: Audience or Assertion Values Not Valid

Error Message: "Invalid Assertion: either audience or assertion values is not valid" (This error appears on the portal login screen)

Root Cause

The SAML assertion audience restriction doesn't match the configured entity ID, or the assertion is expired/invalid. This happens when:

  • The Entity ID in Privacera Portal doesn't match the Service Provider Entity ID in IdP
  • The SAML assertion has expired
  • The audience restriction in the SAML assertion is incorrect

Solution

Step 1: Verify Current Entity ID Configuration

Bash
1
2
3
4
5
6
7
8
# Check Current Configuration (run on jump server):
# Option 1: Check primary SAML configuration file
cd ~/privacera/privacera-manager
cat config/custom-vars/vars.portal.saml.aad.yml | grep -i "SAML_ENTITY_ID"

# Option 2: Check alternative SAML configuration file if present
cd ~/privacera/privacera-manager
cat config/custom-vars/vars.portal.yml | grep -i "SAML_ENTITY_ID"

Step 2: Update Entity ID to Match IdP

YAML
1
2
# Configure Entity ID to match your IdP
SAML_ENTITY_ID: "privacera_portal"  # Must match IdP SP Entity ID

Step 3: Verify IdP System Settings

  • Check that the Service Provider Entity ID in your login system matches the Privacera Portal Entity ID
  • Verify your IdP system includes the correct audience value in SAML assertion

4. Invalid Signature - SSO Login

Error Message: "Invalid signature in SAML assertion" or "Signature validation failed" (This error appears on the portal login screen)

Root Cause

The SAML assertion signature from IdP cannot be validated. This occurs when:

  • IdP signing certificate has expired or changed
  • Certificate mismatch between IdP and Portal configuration
  • Clock skew between Portal and IdP systems

Solution

Step 1: Check Current Certificate

Bash
1
2
3
# Check current certificate (run on jump server):
cd ~/privacera/privacera-manager
cat config/custom-properties/privacera-portal-aad-saml.xml

Step 2: Update Certificate from IdP - If certificate doesn't match:

Bash
1
2
3
4
5
6
# Download updated metadata/certificate from IdP
cd ~/privacera/privacera-manager/config/custom-properties/
wget <idp_metadata_url>

# Replace existing metadata file
mv metadata privacera-portal-aad-saml.xml

Step 3: Additional Checks

  • Verify system time synchronization between Portal and IdP
  • Ensure certificate is in correct format

Escalation Checklist

If the issue cannot be resolved through the specific troubleshooting guides, escalate it to the appropriate team with the following details:

  • Timestamp of the error : Include the exact time the alert was triggered
  • Grafana dashboard and alert screenshots :
    • Grafana → Dashboards → Portal folder → Portal Dashboard
    • Grafana → Alerting → Alert rules → SSO Login Failure Alert.

  • Portal Service Logs: Include any logs from the Portal client-side actions, or test steps that reproduce the issue

    Option 1: Download Log from Diagnostic Portal (Recommended)

    1. Open Diagnostic Portal and go to Dashboard → Services Tab
    2. Type "portal" in the service column input search box
    3. Click on the portal service to open its details page
    4. Find and click on a pod that shows "active" status
    5. Click the "Logs" tab on the pod details page
    6. Click "Download Logs" button to save the logs
    7. If you see multiple portal pods with "active" status, repeat steps 4-6 for each one

    Option 2: Manual Log Collection (If Diagnostic service is not enabled)

    Bash
    1
2
3
4
5
6
7
8
    # Create log archive
kubectl exec -it <POD> -n <NAMESPACE> -- bash -c "cd /opt/privacera/portal/logs/ && tar -czf portal-logs.tar.gz *.log"

# Copy the fixed-name archive
kubectl cp <POD>:/opt/privacera/portal/logs/portal-logs.tar.gz ./portal-logs.tar.gz -n <NAMESPACE>

# Extract logs
tar -xzf portal-logs.tar.gz

  • Current portal configuration details : Configuration settings and deployment information

  • Relevant user actions : Actions leading up to the error

For additional assistance, see How to Contact Support for detailed guidance on reaching out to the support team.