Possible Errors :

Resolution Path :


Saml configuration error: saml assertion is not signed. please make the saml assertions are signed in your idp. / Saml configuration error: saml response is not signed. please make the saml response are signed in your idp


Solution : 

Signing options in Freshworks SAMLOneLogin(Using SAML) configuration should match signing options selected in IDP.

Steps : 

  1. Login to Freshworks Organisation
  2. Navigate to Security Page and then go to Configured SAML App
  3. Check Signing options in configured SAML app.
  4. Note 1 :Freshworks SAML app in One Login IDP supports only "Signed Response" by default.

    Hence make sure that in Freshworks SAML app as mentioned above ,Only the "Signed Response" is Selected.

    Note2: If Generic SAML app is selected in One Login, then the Signing options should match in both Freshworks Security->OneLogin(Using SAML) app and SAML app in One Login as shown below.
    One Login Signing options :



Error while authenticating user: the assertion of the response is not encrypted and the sp requires it


Solution :

  • In Case of Freshworks SAML app is selected in One Login IDP, then disable encrypted assertions in Freshworks Security→OneLogin( Using SAML) app.

Steps :

  1. Login to Freshworks Organisation
  2. Navigate to Security Page and then go to Configured SAML App
  3. Disable EncryptedAssertions in configured SAML app under Advanced Options. 

Solution : 

If Generic SAML App is selected in One Login IDP, then enable Encrypted Assertions in Freshworks security→ OneLogin(Using SAML) and SAML app in One Login as mentioned in below screenshot.
 



Saml configuration error: invalid audience attribute in the saml response. expected audience: null


Solution :

  • The Metadata URL(Entity ID/Url) of SP, configured in the IDP is wrong. Make sure the correct value is configured in the Freshworks SAML app inside OneLogin IDP. 




  • In case the Generic SAML app is used in One Login IDP, then the Metadata URL should be updated in the Audience(EntityId) field as shown below :


Saml configuration error: invalid issuer attribute in the saml response. expected issuer value:


Solution :
Issuer URL(Entity Id) configured in Freshworks Security →OneLogin(Using SAML) is not matching with Entity ID sent by IDP in SAML response.


  • Therefore, they would have to provide a valid Issuer URL(Entity Id) copied from Freshworks SAML app from One Login(as shown below) and paste it in Freshworks  Security →OneLogin(Using SAML) app's Issuer URL field.


We're Sorry, but something went wrong.


Solution :
When Encrypted assertions is enabled at SP side and public key details are not provided at IDP side. Therefore, Make sure the Public key field is not empty in the IDP side.



Error in Processing SAML Response.


Solution :


Verify if Encrypted Assertions is enabled for Freshworks SSO OneLogin (using SAML).

  • At OneLogin IDP, if Freshworks SAML app is being used, then disable encrypted assertions in Freshworks SSO OneLogin (using SAML).
  • At OneLogin IDP, if Generic SAML app is configured, then make sure public key is provided in SAML app.

Steps :

  1. Download the Metadata from Freshworks SSO OneLogin (using SAML).
  2. tag value is public key.
  3. OneLogin  supports public key with header and footer. So create a new file with extension .pem or .cerwith header and footer. Based on the IDP, we either need to copy the public key value or to upload the created file.

    example:

    -----BEGIN CERTIFICATE----- MIIC4DCCAcigAwIBAgIIA2mtqKkFQzcwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlc2VjdXJpdHlyZXZhbXAudGVzdDEuZnJlc2h3b3Jrc2FwaS5pbzAeFw0yMDEx MDkxNDM1NTlaFw0zMDExMDkxNDM1NTlaMDAxLjAsBgNVBAMMJXNlY3VyaXR5cmV2 YW1wLnRlc3QxLmZyZXNod29ya3NhcGkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDb+UnQu6x5TDX5rF5FH6QM5dIXD8x1zqKDxlWT7uHPYjmp6iQD HT7KZssIrd4NwcgpPoszYtkSedu0TvqXOEAbUbYxSdKgL5RwuHAQk1MGYDqw7oM1 CKNOpu2SHdazTEeQrLXT9yL66xBmrhcPBXqNngS9sd+uID2DETfipOJgM48gUESA GXjNt8sEUHfPq4gnTE77rbRSVWIq+s4cu2nldvYm8KRvnfeWvAMqfTXB72eBe4d8 qPS9dLLvmez7oMaojfarg8WZSCDKIEYZpmAcjwGdidUTvmYNbeKJTI5168DD7eEy gY5pHVCLYQ/K03XNJeVO4cO1U6fp6KHYOkxfAgMBAAEwDQYJKoZIhvcNAQELBQAD ggEBAFTVqQGirM6UTbwfWF27mn4N+J32xgFWL19PyMWaHpInq21Q2r/1Dlo95oqu U65d3y3HtzzSternVVYIBYJRtX/3gTjpsNqIl3udpeeOZoM2OBO8kQItrgcf5MzD mXpva4kUnpEKXop/8BOmg/DbzVYV6o0LT5wYS657WL6NrHGBF/FcQTh4Rl6oAqyy 02Mi33TRFyXJpDCTxEXNmQBHT4QdH1W4cQjJRLosToNe7KC8qgUzdumOKUwZTvu+ oI7Sl4fdz5sMhNr5+LeNh8kojj0SIKAb7bBjOcUFdLs1hlZfrS0NG4j7RB1X1I+T 1shX5k3Ht7LAI/TgZ1crtBppdqM= -----END CERTIFICATE-----

  4. Paste above certificate in the Public key inside One Login.



Whitelabel Error Page (In /SP IDP initiated Single logout: The Message of the Logout Requst is not signed and the SP requires it).


Steps :

  • At OneLogin IDP, if Freshworks SAML app is being used, then disable Single Logout option in Freshworks SSO OneLogin (using SAML). 
  • At OneLogin IDP, if Generic SAML app is configured, then make sure both Sign SLO Request and Sign SLO Response are enabled in SAML app at IDP end.



cannot be logged in as this user is not part of this organization


  1. As the error says, this user is not part of the Organization. Therefore, verify whether this user email is already present within the same organization or not.

  2. If the user is logging in with valid credentials from Azure and facing a login issue, then Verify the user presence in the Organisation within OneLogin (for contact). 

  3. For agents, the same user email should be present as an agent inside Freshdesk as well.