SAML Diagnostics

SAML logging is included with general CSM logging features and is configured using the Server Manager.

The following sections discuss how to test and troubleshoot SAML.

Troubleshoot SAML

When SAML is enabled and correctly configured, a web page initially opens after the CSM Desktop Client or CSM Browser Client are opened. The web page indicates that a SAML authentication request has been sent to the identity provider (this might appear very briefly), and then the identity provider’s login page can be seen.

If the web page does not open or other issues are experienced related to SAML, try the following suggestions.

  1. After SAML settings have been changed, it might take a while before the settings are reloaded into the Application Server. Ensure the latest settings are active by restarting the IIS Web Server and the Cherwell server (through the Cherwell Server Manager application). Also, clear the local browser cache.
  2. Verify that the selected identity provider ID type (email address or Windows login) matches the type of ID that the identity provider is configured to return.
  3. If settings were manually configured in the CSM Administrator for an identity provider (rather than by importing a metadata file), verify that the entity and SSO URLs exactly match what is specified by the identity provider. The URLs for some identity providers are case sensitive.
  4. Verify that the domains contained in certificates match the domains of the identity and service provider URLs and are issued by a recognized Certificate Authority and have not expired.
  5. Recheck the SAML settings in CSM and the identity provider to ensure that they are correct and consistent.
  6. Ensure that the date and time are synchronized on the Cherwell and identity provider servers.

To access CSM clients without SAML authentication, select Cancel in the SAML window that is initially displayed. This skips the SAML authentication step and displays the login window (or whatever the next login option that is configured).

Test SAML With a Browser

Run a simple test using a web browser and view the results of a SAML authentication without running a client application by following the steps below.

To test SAML through a browser:

In the steps below, the URL saml.cherwell.com should be replaced with the actual URL. This can also be done as an easy way to generate debug logs.

  1. Navigate to https://MyServer/Service/SAML/login.aspx. The browser redirects to the identity provider and prompts a login.
  2. Provide the User credentials.

    After the identity provider response has been processed, a page opens and displays the important information returned to the service provider, such as result status codes, the user name ID, session ID, and the authentication and assertion xml body.

Bypass SAML for Individual Users

If you are using a login method other than SAML (external, LDAP, Windows, internal), bypass SAML authentication and log in using a different method. For example:

  • For the Desktop Client, select Cancel on the SSO dialog after SAML authentication has begun and the next login method is invoked.
  • For CSM Web Applications, use a special URL to bypass SAML authentication and display the standard login dialog, which also includes a link to initiate SAML authentication. Add CherwellLogin to the end of the URL normally used to access the technician or Portal site, such as:

    http://myserver/CherwellPortal/CherwellLogin

    or

    http://myserver/CherwellClient/CherwellLogin

If the CSM Portal site is configured to allow Anonymous access, select Click to Login to start the SAML authentication. SAML authentication can also be started immediately by adding SamlLogin to the URL (similar to adding CherwellLogin as described above). To go directly to the login page, add CherwellLogin to the URL.

Bypass SAML for All Users

To bypass the initial SAML authentication for all users for either the Browser Client or CSM Portal, use the Command-Line Configure utility to pass the following command to Overwatch:

/updateportalsettings /defaultauthmode=CherwellLogin

This setting bypasses SAML authentication and forces the login dialog to be displayed instead. SAML authentication is available using the link provided on the login dialog.