This article covers how to troubleshoot SSO (single sign-on) errors in MURAL. If you need further support, please contact the MURAL support team.
Contents
Testing errors
When testing your SSO, you may run into the following issue.
Empty values during SSO testing
Here’s how a successful SSO test result looks. You’ll see a green success message banner and the Email address, First name, and Last name fields will all have values:
Note: The highlighted fields must appear filled-in, not blank, to denote a successful test. |
The green success message banner still appears even if the test is unsuccessful. But you can tell if your test was unsuccessful if the highlighted fields are blank:
Issue | How to fix it |
Sometimes during an SSO test, the test result appears with blank Email address, First name, and Last name fields. If these fields are blank, the attributes were likely mapped incorrectly and the SSO claim mapping on MURAL’s end doesn't align with your IdP (identity provider). | Contact the MURAL support team.
If you were already working with customer support on this, reply in the same thread with confirmation of how the attributes were mapped on your IdP side for the Email address, First name, and Last name fields. |
Authentication errors
For most authentication errors, you’ll see the same standard error message of “Something went wrong.” To know which specific authentication error occurred, check the very end of your URL. This shows you which type of authentication error you’re dealing with.
Auth error
Issue | How to fix it |
Error message: “Something went wrong. It could be that the certificate has a bad format.”
Error URL: AUTH_ERROR
You may receive this error if your certificate isn’t formatted correctly or if you’ve encrypted your SAML response. | Check the sign-in certificate URL in the company dashboard to ensure that it is correctly formatted.
If the certificate isn’t formatted correctly: You can either contact the Mural support team or use the X.509 formatting tool to format your certificate with a header. If you need to update the certificate, remove the existing certificate from your company dashboard and upload the new one.
If your SAML response is encrypted: We advise that you only encrypt the SAML assertion. Specifically, with RSA SecurID. |
Note: RSA SecurID is a two-factor, public-key encryption authentication technology developed by RSA Data Security. |
Failed to read asymmetric key
Issue | How to fix it |
Error message: “There was an error while trying to authenticate your request.”
Error URL: failed-to-read-asymmetric-key
This error usually occurs if the certificate wasn’t correctly formatted. The certificate was likely uploaded without the header or was formatted with spaces or breaks. | Reformat the certificate correctly and resend the certificate to the tech specialist you’re working with at MURAL.
We recommend the X.509 formatting tool for formatting. |
Invalid signature
Issue | How to fix it |
Error message: “There was an error while trying to authenticate your request.”
Error URL: invalid-signature | If you uploaded the certificate at any point without notifying the MURAL team, you must alert them of this change so they can update it on the MURAL side.
If you didn’t update the certificate, double check the sign-on URL information that you have in your certificate matches what’s in your XML file. |
Invalid IdP
Issue | How to fix it |
{"error":"auth_failed" "message":"invalid-idp"}
This error message appears in plain text on the screen when you attempt an IdP-initiated login that hasn’t been set up correctly or is missing the relay state value. | If you’re missing a relay state value: Contact the MURAL support team. Ask support to generate your relay state value and send it back to you so you can add it to your IdP.
If the entity ID in your IdP is incorrect: In some cases, your entity ID may be saved under scim.mural.engineering or test.mural.co. If this is the case, you must update the sign-on URL to app.mural.co. |
Company mismatch
Issue | How to fix it |
Error message: “There was an error while trying to authenticate your request.”
Error URL: sso-company-mismatch
Your SSO source is most likely not the same as your company’s domain. | Contact the MURAL support team to update your SSO source.
In rare cases, this could be a bug and may need to be looked at by MURAL’s Engineering team. Report the issue to the tech specialist you’re working with at MURAL, and they’ll take it from there. |
Login errors
If you run into issues while logging into MURAL with SSO, here's how to fix it.
Missing content
Issue | How to fix it |
You log into MURAL using SSO, but the content isn’t there. You can see the menu and everything on the left, but the area that normally holds your murals and other content is completely blank.
You may not be logging into the correct account or workspace, or you may be using a link that no longer exists. | Make sure that you’re manually following this URL: app.mural.co/
Use app.mural.co/me/profile to show you the profile that you’re currently logged into so you can verify that you’re under the correct profile. |
Landing on “Choose company workspace” page
Issue | How to fix it |
You’re able to log into MURAL, but you’re landing on a “Choose company workspace” page.
This may be caused by incorrect information in your company’s IdP. The information in your MURAL user profile may be incorrect. Sometimes, the issue stems from an incorrect email address. | Check the information being sent by your IdP by checking all fields in the SSO section of your company dashboard and requesting a SAML trace. |
Stuck in a login loop
Issue | How to fix it |
You’re able to log into MURAL, but you’re stuck in a login loop.
This may be caused by incorrect information in your company’s IdP. The information in your MURAL user profile may be incorrect. Sometimes, the issue stems from an incorrect email address. | Check the information being sent by your IdP by checking all fields in the SSO section of your company dashboard and requesting a SAML trace. |
AD FS authentication error: Invalid NameID
Issue | How to fix it |
“The SAML request contained a NameIDPolicy that was not satisfied by the issued token.”
This AD FS (Active Directory Federation Services) authentication error occurs when a user tries to log into the live environment. | Contact the MURAL support team so they can check the transform rule in AD FS directly. The technical specialist handling your query will likely book a live call with you and may also request a SAML trace. |
Error messages found in your IdP
This section is for error messages found in your identity provider.
User isn’t assigned to a role for the application
Issue | How to fix it |
“Sorry, but we’re having trouble signing you in. The signed in user is not assigned to a role for the application.”
This occurs when the member isn’t assigned to the access group within your IdP. | Reach out to the IdP admin of your company. They’ll need to ensure that the member is within the correct access group. |
Reply URL in the request doesn’t match
Issue | How to fix it |
“Sorry, but we’re having trouble signing you in. The reply URL specified in the request does not match the reply URLs configured for the application.”
It’s possible that the URL doesn’t match the environment you’re in. For example, if you’re using the ACS (Assertion Consumer Service) URL for the test environment testing rather than production testing. | Check the ACS URL within the IdP configuration to ensure that you have the correct URL for the environment you’re in:
|
Note: The ACS URL is an endpoint where the IdP will redirect to with its authentication response. |