Troubleshoot single sign-on issues

Having trouble configuring SSO? Follow the instructions below to gather information to help our support and engineering teams troubleshoot your issue.

Select when you are experiencing your issue with SSO:

• SSO configuration is not successful.
• The SP init auth flow doesn't redirect me to my IdP authentication page.
• The authentication flow won't grant me access to Abstract after successfully authenticating with my IdP.
• Other

SSO configuration is not successful

Before you activate activate your SSO configuration, test it using our verification feature.

Test your SSO configuration

To use our verification feature: 

1. Log into the Abstract web app, using your Admin credentials.
2. Select Permissions in the left side pane.
3. Fill out the Metadata URL and Entity ID fields. Make sure: 

• You follow our instructions for Okta, Azure AD, AFDS, and Google SAML.
• The Metadata URL is valid and available from the public internet.
• The Entity ID matches the one located in the XML Metadata.

4. In the Test Configuration section, click Test with my account.

If the configuration was successful, a confirmation screen appears with the message SSO Testing Successful. If the configuration isn't successful, reach out to us. 

The SP init auth flow doesn't redirect me to my IdP authentication page

If the SP init auth flow doesn't correctly redirect you to your IdP authentication page, send us the SAMLRequest to help troubleshoot your issue.

How to capture the SAMLRequest in the SP init auth flow

1. Open Google Chrome. 
2. Right-click the page and select Inspect. 
3. Select the Network tab.
4. Go to https://app.abstract.com/signin.
5. Enter your email address.
6. Click Continue.
7. In Network tab, select the sub-tab Other.
8. Select the request matching your IdP.
9. Under Headers > General > Request URL, copy the SAMLRequest parameter located in the URL.
10. Go to https://www.samltool.com/url.php. 
11. Paste the SAMLRequest parameter in the "URL Decode" field.
12. Click URL Decode Data.
13. Copy the data in the URL Decoded Data field.
14. Go to https://www.samltool.com/decode.php.
15. Paste the data in the Deflated and Encoded XML field. 
16. Click Decode and Inflate XML.
17. Select everything in the XML field. This is the SAMLRequest.
18. Send us an email including this SAMLRequest.

The authentication flow won't grant me access to Abstract after successfully authenticating with my IdP

If the the authentication flow does not grant you access to Abstract after successfully authenticating with your IdP, send us the SAMLResponse to help troubleshoot your issue.

Capture the SAMLResponse in the authentication flow

1. Open Google Chrome.
2. Sign in to your IdP via their website.
3. Right-click the page and select Inspect.
4. Select the Network tab.
5. In Network tab, select the sub-tab Other.
6. Attempt to enable SSO from Abstract by entering your URL and entity-id and clicking “test with my account.”
7. Select the response on the left matching the URL auth.goabstract.com/saml/response.
8. Under Headers > Form Data, copy the SAMLResponse parameter.
9. Go to https://www.samltool.com/decode.php.
10. Paste the SAMLResponse in the Deflated and Encoded XML field. 
11. Click Decode and Inflate XML.
12. Select everything in the Deflated XML field. This is the SAMLResponse.
13. Send us an email including this SAMLResponse.

Error: "Please verify the response includes a valid Assertion element"

If you get this error, you aren't using an account associated with your organizations single sign-on identity provider (SSO IdP), and you aren't on the manual exceptions list. Ask an admin to add you to the SSO IdP. If you cannot be added to the SSO IdP for some reason, ask whether it's appropriate to add you to the list of manual exceptions.

Other

If you’re still having issues with SAML single sign-on, please reach out to us.