Troubleshooting SAML Authentications with the RSA Cloud Authentication Service as Identity Provider
Article Number
Applies To
Issue
- IDR-based SAML (SSO Portal)
- My Page SAML Application (Cloud-based SSO)
- Relying Party SAML
Tasks
General Troubleshooting Tips
Prior to engaging RSA, you can refer to the following resources for some troubleshooting tips and items to check, depending on the type of problem that is occurring:- Troubleshooting Cloud Authentication Service User Issues includes tips for SecurID App Installation, Authenticator Registration, Applications, Authentication Methods and General issues.
- Troubleshooting Cloud Authentication Service Identity Source Synchronization
- Monitor Uptime Status for the Cloud Authentication Service
- Test Access to Cloud Authentication Service
- View Identity Router Status in the Cloud Administration Console
- Monitor User Events in the Cloud Administration Console to check for failure reasons in the event messages logged here for user authentications.
- SecurID® Integrations . Search this page for your application's vendor name to see if there is an RSA Ready Integration Guide that explains how to correctly configure SAML for your application.
Resolution
Troubleshooting Data to send to RSA
Always send RSA the Basic Information items listed below. Other items should also be sent if they may be relevant to the problem or if requested by RSA.The time zone for all dates and times is a critical item, so that RSA can reliably correlate events end-to-end.
Basic Information
Reproduce the issue, or wait until it occurs. Send us the following data about the failed authentication:- User ID, date and time (with time zone) of an example of the problem.
- For the specific authentication failure at step 1, also provide:
- Screenshot(s) and/or video of the attempt. Make sure error messages and URLs are visible in the capture.
- User Event Monitor events
- Name and version of the application
- Configuration details, e.g. which RSA feature, such as IDR-based SAML, is being used and what integration instructions were followed to configure both RSA and the application? Also provide screenshots of RSA Cloud Administration Console and application SAML configuration pages.
User Event Monitor Events
From the User Event Monitor , capture screenshot(s) of all events for the user around the date and time of the authentication attempt. Make sure the full text of all relevant events are captured.If all events do not fit into one screenshot, scroll to the bottom of the User Event Monitor page, set results per page to maximum, and then print the web page to a PDF file. Repeat for any additional pages.
If the relevant events are no longer available in the User Event Monitor, you can instead Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU .
SAML Trace
A SAML trace can be captured using one of the following methods:- How to capture web sessions using browser Developer Tools for troubleshooting purposes in all RSA products
- How to capture web sessions using Fiddler for troubleshooting purposes
- Start tracing
- Reproduce the issue. Send us user ID, date and time (with time zone) of the attempt
- Stop tracing
- Save the trace to file and send us the trace file
- Send us the User Event Monitor events for the attempt at step 2 above.
- Send us the time zone set for the machine or device where the SAML trace was captured.
Identity Router Log Bundles
Identity Router (IDR) logs are useful when troubleshooting IDR-based SAML authentications, or functions provided by an IDR, such as Authentication Manager connectivity or identity source lookups. Logs usually have to be gathered from all IDRs in the Cloud tenant, as it is not possible to predict which IDR will be used, or was used, for an authentication.- Set the Identity Router Logging Level to Debug on all IDRs.
- Reproduce the issue. Send us user ID, date and time (with time zone) of the attempt
- Set the Identity Router Logging Level to Standard on all IDRs. Do not leave IDRs in debug mode for longer than necessary as it will cause logs to rotate more quickly and data will be lost sooner.
- Generate and Download the Identity Router Log Bundle from all IDRs. This must be done from each IDR's setup.jsp pages and not from the Cloud Administration Console.
- Send us User Event Monitor events for the attempt at step 2 above.
Application Logs
Most SAML applications will also produce their own event logs. Send any such logs to RSA as they may contain information that is useful to RSA's troubleshooting. If you cannot send the SAML application's log files themselves, send screenshots or "print to PDF" of relevant events in the logs, around the time of an authentication failure. Be sure to tell us the time zone of the dates and times in the application's logs.Contact your application's support team if you are unsure where to find the application's logs.
Related Articles
The RSA SecurID Access Cloud Authentication Service rejects signed SP-initiated SAML requests with an HTTP Redirect binding Number of Views Choosing a Connection Method to Add an SSO Agent Application Number of Views Access policy is not enforced for some users in RSA Cloud Authentication Service Number of Views FortiGate Firewall - SAML IDR SSO Configuration Using SSL VPN - RSA Ready Implementation Guide Number of Views Examining the Disk Space Usage on Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x
Don't see what you're looking for?
