Skip to main content

Troubleshooting SAML Authentication Errors

  • Updated

This article explains the causes and solutions for errors that may occur with SAML authentication in MagicPod. For basic SAML authentication setup, please refer to SAML Authentication Settings.

Table of Contents

  1. How to Check SAML Errors
  2. There is no AttributeStatement on the Response
  3. The Message of the Response is not signed and the SP require it
  4. The Assertion of the Response is not signed and the SP require it
  5. XXX is not a valid audience for this Response
  6. Invalid issuer in the Assertion/Response
  7. Recovery When Unable to Log In

1. How to Check SAML Errors

Organization administrators can check SAML authentication errors on the Members page. A warning icon (⚠) is displayed next to members with errors. Hovering over the icon shows the error details and the date/time of occurrence.

2. There is no AttributeStatement on the Response

  • Error message: There is no AttributeStatement on the Response
  • Cause: The SAML response returned by the IdP (Identity Provider) does not contain an AttributeStatement element in the Assertion. MagicPod requires an AttributeStatement.
  • Solution
    1. In your IdP's Attribute Mapping settings, verify that attributes are configured for the MagicPod application.
    2. Confirm that the target user has the required attribute values (such as email address) assigned on the IdP side.
  • IdP-specific signing settings

    • Microsoft Entra ID: In the Attributes & Claims section, click Add new claim to add the following attributes

      Name Namespace Source Source attribute
      email (Blank) Attribute user.mail

    • Okta: Under the Sign On tab, in the Attribute Statements section, add the following attributes

      Name Name format Value
      email Basic user.email
    • OneLogin: In the Parameters tab, set the NameID value field to Email.
      1. Click Add parameter (+ button).
      2. Enter email  in the Field name.
      3. Check Include in SAML assertion.
      4. Click Save.
      5. Click the created email parameter to open the edit screen.
      6. Select Email from the Value dropdown.
      7. Click Save.

3. The Message of the Response is not signed and the SP require it

  • Error message: The Message of the Response is not signed and the SP require it
  • Cause:  The SAML response (Message) returned by the IdP is not signed. MagicPod requires the response to be signed.
  • Solution: In your IdP's SAML application settings, ensure that the option to sign the SAML response is enabled.
  • IdP-specific signing settings
    • Microsoft Entra ID: Under "Certificate signing options", select "Sign SAML response and assertion".
    • Okta: Go to Application settings > SAML Settings > Show Advanced Settings and set the "Response" option to "Signed".
    • OneLogin: Go to Application settings > SSO and set "SAML Signature Element" to "Both".

4. The Assertion of the Response is not signed and the SP require it

  • Error message: The Assertion of the Response is not signed and the SP require it
  • Cause:  The Assertion (authentication information) within the SAML response returned by the IdP is not signed. MagicPod requires the Assertion to be signed.
  • Solution: In your IdP's SAML application settings, ensure that the option to sign the SAML assertion is enabled.
  • IdP-specific signing settings
    • Microsoft Entra ID: Under "Certificate signing options", select "Sign SAML response and assertion".
    • Okta: Go to Application settings > SAML Settings > Show Advanced Settings and set "Assertion Signature" to "Signed".
    • OneLogin: Go to Application settings > SSO and set "SAML Signature Element" to "Both".
  • Note: If both error 3 and error 4 occur, configure your IdP's signing option to sign both the response and the assertion.

5. XXX is not a valid audience for this Response

  • Error message: https://app.magicpod.com/accounts/saml/metadata/ is not a valid audience for this Response
  • Cause: The Audience URI (Entity ID) configured in the IdP does not match MagicPod's Entity ID.

  • Solution: In your IdP settings, verify that the Audience URI (Entity ID) exactly matches the following value:

    Field Value
    Entity ID (Audience URI) https://app.magicpod.com/accounts/saml/metadata/

    Important: Ensure an exact match including the trailing slash (/). Also check that no extra spaces or line breaks are included.

6. Invalid issuer in the Assertion/Response

  • Error message: Invalid issuer in the Assertion/Response
  • Cause: Incorrect IdP Entity ID configuration in MagicPod
  • Solution: Verify that the IdP Entity ID is correctly entered in Entity Id of Identity Provider field on the Organization Settings page.
     

7. Recovery When Unable to Log In

If you are unable to log in via SAML authentication, you can reset your password and log in again using your username and password.

Was this article helpful?
0 out of 0 found this helpful
If the problem persists, please contact us from here.
Contact
Return to top

Related articles