Error 1:
Saml configuration error: saml assertion is not signed. please make the saml assertions are signed in your idp.
Error 2:
Saml configuration error: saml response is not signed. please make the saml response are signed in your idp..
Resolution Path:
Signing options in Freshworks SAML App configuration should match signing options selected in IDP.
- Login to Freshworks Organisation
- Navigate to Security Page and then go to Configured SAML App
- Check Signing options in configured SAML app.
Note 1:Default Signing option in Google IDP is Signed assertion.
Hence make sure that in SAML app as mentioned above configured as Only Signed Aseertions.- To have response to be signed,Select checkbox in SAML App in google IDP as shown below
Google Signing options.
Error while authenticating user: the assertion of the response is not encrypted and the sp requires it
Resolution Path:
- Login to Freshworks Organisation
- Navigate to Security Page and then go to Configured SAML App
- Disable Encrypted Assertions in configured SAML app under Advanced Options.
Note: Google IDP doesn't have encrypted assertions option ref: https://cloud.google.com/architecture/identity/single-sign-on.
Error 4: app_not_configured_for_user
Resolution Path:
The metadata url (entity url) of SP, configured in the IDP is wrong.Make sure correct value configured in SAML app in Google IDP.
Error 5: How can I setup SLO Set Up with google IDP as like one login?
Resolution Path:
Google Doesn't support SLO functionality.
Error 6:
Saml configuration error: invalid issuer attribute in the saml response. expected issuer value: https://accounts.google.com/o/saml2?idpid=c04ksivtl
Resolution path:
Issuer URL(Entity Id) configured in Freshworks Security →SAML app is not matching with entity id sent by IDP in SAML response.
Hence provide valid Entity Id copied from Freshworks SAML app from Google(as shown below) and paste it in Freshworks Security →SAML app's Issuer URL field.
Error 7: {{UserEmail}} cannot be logged in as this user is not part of this organization
Resolution path:
- As error says, this user is not part of org, verify user is already present within same organisation or not.
- If User is trying to login via SSO and expecting user should be created as Requestors in FreshService account when login for first time
Follow any of below approaches.
- Solution 1: For Just In Time user creation, we need to send ,in which FreshService account this user should be created.For that we need to pass account_id param either in login call or authorise call.Initiating login from Fresh Service Portal, will pass account_id param and user will be created as requestor as JIT user.
- Solution 2: For IDP initiated flow JIT user creation: SAML app's Start URL field in Google IDP, provide Fresh service domain login url to perform IDP initiated login to create users in Fresh service portal[As currently we are not supporting IDP initiated login for JIT user creation, it's a work around]
Er:
Google's Freshdesk SAML app supports auto-provisioning
You can authorize, create, modify, or delete a user's identity in Google Workspace. Any changes are also reflected in freshdesk.
Reference article: https://support.google.com/a/answer/7364833