docs - SAML troubleshooting (#19667)

e0af193a · Jeff Bruemmer · GitHub · 8a2d75ba · e0af193a · e0af193a
Unverified Commit e0af193a authored 3 years ago by Jeff Bruemmer Committed by GitHub 3 years ago
--- a/docs/enterprise-guide/saml-auth0.md
+++ b/docs/enterprise-guide/saml-auth0.md
@@ -65,3 +65,7 @@ Next, in the Auth0 Addon: SAML2 Web App popup, click on the **Usage** tab and th
 The "SAML Application Name" value can be left as the default (Metabase).

 Save your settings, then [enable SAML](authenticating-with-saml.md) in Metabase, and you should be good to go!
+
+## Troubleshooting
+
+For common issues, see our [SAML troubleshooting page][../troubleshooting-guide/saml.md).
--- a/docs/troubleshooting-guide/index.md
+++ b/docs/troubleshooting-guide/index.md
@@ -9,41 +9,32 @@ Problems, their causes, how to detect them, and how to fix them.
 ### Installation

 - [Running the Metabase JAR][running].
-
 - [Running Metabase on Docker][docker].
-
 - [Using or migrating from an H2 application database][appdb].

 ### Authentication

- [Setting up LDAP][ldap].
-
+- [LDAP][ldap].
+- [SAML][sam].
 - [People can't log in to Metabase][login].

 ### Permissions

 - [Fixing permissions issues][permissions].
-
 - [Managing data sandboxing][sandbox].

 ### Data Sources

 - [Connecting to data warehouses with Metabase][datawarehouse].
-
 - [I can't see my tables][cant-see-tables].
-
 - [Fixing missing or out-of-sync tables and columns][sync-fingerprint-scan].

 ### Questions and dashboards

 - [Saving questions or dashboards][proxies].
-
 - [My dashboard is slow][slow-dashboard].
-
 - [The dates and times in my questions and charts are wrong][incorrect-times].
-
 - [My dashboard filters don't work][filters].
-
 - [My dashboard's linked filters don't work][linked-filters].

 ### Email and alerts
@@ -107,6 +98,7 @@ Metabase adds new features and squashes bugs with each release. [Upgrading to th
 [running]: ./running.html
 [safari]: https://support.apple.com/guide/safari-developer/develop-menu-dev39df999c1/mac
 [server-logs]: ./server-logs.html
+[saml]: ./saml.md
 [sandbox]: ./sandboxing.html
 [slow-dashboard]: ./my-dashboard-is-slow.html
 [sync-fingerprint-scan]: ./sync-fingerprint-scan.html

--- a/docs/troubleshooting-guide/saml.md
+++ b/docs/troubleshooting-guide/saml.md
+# Troubleshooting SAML authentication setup
+
+{% include plans-blockquote.html feature="SAML authentication" %}
+
+Some common problems when setting up SAML.
+
+## Is the entity or issuer ID correct?
+
+After filling out the authentication form with your identity provider, you're taken back to Metabase but it throws an error. To see the error, go to **Admin settings** > **Troubleshooting** > **Logs**. You'll see an error that says something like **Incorrect response <issuer>**.
+
+**Root cause**: Your entity or issuer ID is incorrect.
+
+**Steps to take**:
+
+1. You should have received an XML file of metadata from your identity provider. Open that metadata file, and look for the correct issuer or entity ID. This ID is a unique identifier for the identity provider. Depending on your provider, this usually looks something like http://www.example.com/141xkex604w0Q5PN724v.
+2. Copy that ID.
+3. Go to **Admin settings** > **Settings** > **Authentication** > **SAML** and enter the issuer or entity ID into the **SAML Identity Provider Issuer** field in Metabase. 
+
+## Is the SAML identity provider certificate value correct?
+
+After filling out the authentication form with your identity provider, you go back to Metabase but it throws an error. Go to **Admin settings** > **Troubleshooting** > **Logs**. You'll see an error that says something like **Invalid assertion error <issuer>**. 
+
+**Root cause**: The certificate value you entered is incorrect.
+
+**Steps to take**:
+
+1. You should have received an XML file from your identity provider. Open that metadata file, and check to make sure the certificate you inputted is correct.
+2. Go to **Admin settings** > **Settings** > **Authentication** > **SAML**. Check that the certificate that you entered into the **SAML Identity Provider Certificate** field matches the certificate in the XML file you got from your identity provider. Depending on your provider, you might need to download this, open it in a text editor, then copy and paste the certificate's contents into the field.
+
+## Searching for private key and found a null
+
+This error will only occur if you're using **Signed SSO requests**. That is, in Metabase, you've filled out the fields in the configuration section in **Admin settings** > **Settings** > **Authentication** > **SAML** > **Signed SSO requests**. Those fields are:
+
+- **SAML Keystore Path**: the absolute path to the Keystore file to use for signing SAML requests.
+- **SAML Keystore Password**: the password for opening the keystore.
+- **SAML Keystore Alias**: the alias for the key that Metabase should use for signing SAML requests.
+
+**Root cause**: The certificate in the keystore file does not have a private key.
+
+**Steps to take**:
+
+1. Add a certificate with a private key to your keystore.