Authentication

Authentication

First authentication⁠

Once invited to the account, the federated user will receive an email with a link to authorize by SSO and federation ID.

1. In the email, click Enroll by SSO.
2. Enter the federation ID.
3. Optional: to avoid entering the federation ID each time you log in, check the Save federation checkbox.
4. Click Log in.
5. You will be redirected to the authorization page at the credential provider. After authorization, you will be returned to the control panel login page.
6. Enter full name.
7. Click Log in.

Authentication at each login⁠

1. From Control Panel on the login page, click Log in with SSO.
2. Enter the federation ID or select a saved federation. The federation ID can be seen in the invitation letter or requested from the User Administrator.
3. Optional: to avoid entering a new federation ID each time you log in, check the Save federation checkbox.
4. Click Log in. You will be redirected to the authorization page at the credential provider.
5. Authorize with the credentialing vendor.

Authentication errors⁠

If federation has not been configured correctly, errors may occur when authenticating a federated user. Error Groups:

• SAML001 — SAML099 — federation configuration errors on the Servercore side;
• SAML100 — SAML199 — validation errors on the credential provider side (SAML Response);
• SAML200 — SAML299 — other errors.

SAML request identifier. Possible causes:

• repeated authentication attempt within one request (SAML Response);
• the time allotted for user authentication has expired — after going to the authentication page, it took 10 minutes or more for the user to enter credentials.

is missing from the received SAML Response

SAML Response format. You can verify SAML Response using third-party utilities (e.g., Onelogin)

Error	Cause	Solution
SAML001 — SAML099 — configuration errors on Servercore side
SAML001: saml_idp_is_not_configured	SAML-compliant IdP has not been configured on the Servercore side	Check the federation configuration on the Servercore side
SAML002: saml_idp_certs_not_configured	The federation in Servercore does not have a certificate	Add a certificate issued from a credential provider for the federation
SAML100 — SAML199 — SAML Response validation errors
SAML100: saml_response_invalid_request_id		Invalid	Re-visit the authentication page from the Servercore control panel and authorize
SAML101: saml_response_invalid_destination	The Destination parameter in SAML Response is not set correctly	Set the correct URL for SAML Assertion Consumer Service on the credential provider side: in Keycloak — Valid Redirect URIs parameter, more details in the Configure federation on the Keycloak side instruction; in AD FS — parameter Relying party SAML 2.0 SSO service URL, more details in the instructions Configure Federation on the Active Directory Federation Services side.
SAML102: saml_response_invalid_in_response_to	SAML Response was created for an authentication request with a different identifier	Navigate to the authentication page from the Servercore control panel again and authorize yourself
SAML103: saml_response_invalid_issuer	When creating a fed eration in Servercore, the value of the IdP Issuer field is incorrect.	In the federation settings in Servercore, set the IdP Issuer field to the correct value.
SAML104: saml_response_invalid_signature	The signature of the received SAML Response is set incorrectly. Possible causes: credential provider returned an invalid SAML Response. You can check if the SAML Response is correct using third-party utilities (for example, Onelogin); an incorrect certificate has been added to the federation in Servercore	If SAML Response is incorrect: check the federation configuration on the credential provider side; In case of an incorrect certificate: add a correct certificate
SAML105: saml_response_subject_not_found	Subject section is missing in received SAML Response	Configure federation on the credential provider side so that the Subject section is included in the SAML Response
SAML106: saml_response_name_id_not_found	NameID	Configure federation on the credential provider side so that the NameID parameter is included in the SAML Response: in AD FS — conf igure Claims Mapping; Keycloak — no configuration required. Authenticate again later.
SAML107: saml_response_user_not_found	User does not exist in Servercore	Add federated user
SAML108: saml_response_invalid_assertion_xml		Invalid	Re-authentication; check the federation configuration on the credential provider side
SAML109: saml_response_invalid_assertion	Invalid	SAML Response	Check federation configuration on the credential provider side. You can check SAML Response using third-party utilities (e.g. Onelogin)
SAML200 — SAML299 — other errors
SAML200: saml_internal_error	Needs clarification	Create a supportticket
SAML201: saml_malformed_request	Invalid request parameters from credential provider to Servercore after authentication on the provider side	Check federation settings on the credential provider side