Support
Integrations

Troubleshooting SSO Issues

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

If you encounter an issue while configuring SSO (SAML) integration, our Support team needs the following information first in order to understand the issue better.

  • Screenshots of the SSO configurations
  • SAML request and response
  • A trace log

Once you have gathered this information, please submit a support request to support@invicti.com.

Take Screenshots of the SSO Configurations

Take a screenshot of the Single Sign-On window in Invicti Enterprise (available from the Settings menu), and another screenshot which shows the configuration on the IdP side.

Capture the SAML Request and Response in the Browser

Install one of these addons or extensions, then try logging in to Invicti again with SSO.

Save all the captured requests and responses.

Generate a Trace Log on the Invicti Enterprise WebApp

These are the steps required to generate a trace log.

Configure SAML Trace

Update your application’s web.config file to include a <system.diagnostics>&;section as shown in the sample configuration below.

<system.diagnostics>
<trace autoflush="true">
<listeners>
<add name="TextWriter"/>
</listeners>
</trace>
<sources>
<source name="ComponentSpace.SAML2" switchValue="Verbose">
<listeners>
<add name="TextWriter"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="TextWriter"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="c:\temp\logs\SAML\idp.log"/>
</sharedListeners>
</system.diagnostics>

Create a Log Directory

Ensure that the directory (configured with the initializeData parameter above) where the log file will be written exists. In this example, the directory c:\temp\logs\SAML must exist in order for the idp.log file to be created. Any valid directory path may be specified.

Any log file name may be specified. However, conventionally, idp.log is used when the application is acting as an identity provider, whereas sp.log is used when the application is acting as a service provider.

C:\Users\Selcuk\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2B48DD3E.tmp

Set File Permissions

The user account running the web application must have Write permission for the log directory. In the screenshot above, the IIS_USERS group has been given Write permission for the c:\temp\logs\SAML directory.

Alternatively, in a development environment, you may give the Everyone group Write permission for the directory. This should not be done in a production environment.

C:\Users\Selcuk\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BA45BBFC.tmp

Confirm the SAML Trace is Enabled

If the SAML trace is correctly configured, the log file should contain entries similar to the example below. The first entry indicates the Version and license type.

ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: ComponentSpace.SAML2, Version=2.5.0.12, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9 (retail license).
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the SAML configuration file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\saml.config.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The local identity provider is urn:componentspace:ExampleIdentityProvider.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:componentspace:ExampleServiceProvider has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:componentspace:MvcExampleServiceProvider has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider http://adfs.test/adfs/services/trust has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider urn:federation:MicrosoftOnline has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider google.com has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider https://saml.salesforce.com has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The partner service provider https://sp.testshib.org/shibboleth-sp has been added.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\idp.pfx.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.idp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\sp.cer.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.sp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: Loading the X.509 certificate from the file C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\sp.cer.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The X.509 certificate CN=www.sp.com has been loaded.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: SAML configuration changes in the directory C:\Componentspace\Products\SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider are being monitored.
ComponentSpace.SAML2 Verbose: 0 : 5:36:03 PM: The SAML configuration has been successfully loaded.

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.