Basic SAML Troubleshooting

When troubleshooting SAML configuration or login issues, be sure to enable DEBUG mode for the SAML module. DEBUG mode allows for additional logging and more detailed error messages to be captured in the zoomdata.log file (located in /opt/zoomdata/logs ) that is useful for troubleshooting purposes. To enable DEBUG mode, enter the following cURL command:

curl -u <admin>:<password> -X "POST" "http://<hostname>:<port>/zoomdata/actuator/loggers/" \
-H "Content-Type: application/json; charset=utf-8" -d $'{ "configuredLevel": "DEBUG" }'

Replace the <admin> and <password> with the credentials for the Zoomdata admin user. Similarly, please make sure that your URL contains the appropriate <hostname> (or IP address) and <port> of your Zoomdata environment. This should be similar to the hostname (or IP address) and port specified in your browser.

Commonly Reported Issues

Issue #1: Warning Message During IDP Redirection


User sees the following warning message during redirection to the IDP (Identity Provider):

HTTP Status 401 - Authentication Failed: Response issue time is either too old or with date in the future

Root Cause:

This error is likely being thrown as a result of mistiming between the Zoomdata server and IDP server.


Check that the NTP service is running on both machines. if not - start it and check that time is the same.

Issue #2: Connection Error


User is encountering an error connecting to SAML And notices the following error message in the Zoomdata log files:

2015-09-28 07:25:39,138 ERROR [o.s.s.s.u.SAMLUtil] Could not find any artifact resolution services in metadata.

2015-09-28 07:25:39,138 DEBUG [o.s.s.s.w.WebSSOProfileImpl] Could not decode artifact response message. Could not find any artifact resolution services in metadata.

Root Cause:

There is a missing artifact resolution service in the metadata, which is required by Zoomdata.


Add the following property string to the file (located in /etc/zoomdata directory):

Please restart Zoomdata after making this change.

Issue #3: Error Validating SAML Message on Zoomdata Home Page


After following the steps to configure SAML in Zoomdata and successfully connecting to the SAML IDP (e.g. ADFS) login page, the user may still encounter a "Error validating SAML message" error message on the Zoomdata home page after logging in via SAML.

When looking in the zoomdata.log/zoomdata-error.log files, the user might see the following error messages:

2015-09-28 13:19:13,336 ERROR [o.o.x.e.Decrypter] Error decrypting the encrypted data element Illegal key size
Caused by: Illegal key size

Root Cause:

Encryption better than AES-128 which is not allowed by the default cryptographic jurisdiction policy files that are shipped with the Java JDK.


To address this issue, download the appropriate JCE extension for unlimited strength encryption for your current Java version and install the unlimited strength policy files with the JDK that is shipped with Zoomdata. In order to install this JCE extension, you need to copy the two .jar files contained in the JCE downloaded archive to the /opt/zoomdata/jre/lib/security directory of your Zoomdata server and replace the existing limited JCE files in this location.

Make a backup of the original JCE files in case you need to restore these files for some reason. Keep in mind that during upgrade or installation, these files will be overwritten.

Afterward, try following the steps to configure SAML in Zoomdata again and this issue should no longer occur.

Issue #4: Error Validating SAML Message (continued)


User continues to encounter the "Error Validating SAML message" error after entering credentials through their ADFS login page. They also see the following error messages in the zoomdata.log file:

2015-09-29 09:05:08,796 INFO [o.s.s.s.l.SAMLDefaultLogger] AuthNResponse;FAILURE; NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration

2015-09-29 09:05:08,796 DEBUG [o.s.s.s.SAMLProcessingFilter] Authentication request failed: Error validating SAML message

Root Cause:

The attribute, specified in the "Username Mapping" of Zoomdata's SAML settings (under Security tab logged in as the Supervisor user), is not being sent by ADFS. In this example, the error message indicates that ADFS is not sending the "NameID" attribute.


Configure ADFS to add this attribute by following the below steps (we will continue to use "NameID" attribute in this example):

  1. Add NameID as a "Claim rule name".

  2. Choose "Active Directory" as the Attribute store.

  3. Choose "SAMAccount-Name" as the LDAP attribute and "Name ID" as "Outgoing claim type".

  4. Finish the wizard and confirm the claim rules window.

  5. Verify in the Zoomdata SAML settings, under Security tab when logged in as Supervisor, that this attribute (in this example, NameID) is specified correctly under the "Username Mapping" parameter.

In ADFS 3.0, you may need to configure this attribute (e.g. "NameID") as a "Pass Through claim"