Possible errors:


TABLE OF CONTENTS


Resolution Path:


1.Error: Saml configuration error: saml assertion is not signed. please make the saml assertions are signed in your idp/2. Error: Saml configuration error: saml response is not signed. please make the saml response are signed in your idp.


Solution:


  • By default, in  Freshworks ->security ->Okta (using SAML) app, Signed assertions and Signed Response is set. Also  Freshworks app in Okta default set to Signed assertions and Signed Response. Make sure in SP Signing options are set to Signed assertions and Signed Response.
  • Generic SAML app from Okta IDP is being used to set up SSO, then make sure Signed assertions and Signed Response are selected in the Okta SAML app.

In Okta IDP, Signing options configurations



3. Error while authenticating user: the assertion of the response is not encrypted and the sp requires it



Solution:

  • If Freshworks SAML app is selected in  Okta IDP, then disable encrypted assertions in Freshworks Security→Okta( Using SAML) app.


  • If generic SAML App is selected in Okta IDP ,then enable encrypted assertions in Freshworks security→ Okta(Using SAML) and also SAML app in Okta as mentioned in below screenshot.



4. Saml configuration error: invalid audience attribute in the saml response. expected audience: null



Solution:


  • Using Generic SAML app in Okta and providing invalid Entity Id will cause this issue.Provide valid entity id(Copy from SP SAML entity id field) in Okta's SAML app.
  • Okta(Using SAML) is used in Freshworks Security page,then entity id will be https://{{orgDomain}}/sp/saml/{customer_Id}/metadata.



5. Saml configuration error: invalid issuer attribute in the saml response. expected issuer value:



Solution:

  • Issuer URL(Entity Id) configured in Freshworks Security →Okta(Using SAML) is not matching with entity id sent by IDP in SAML response.
  • Hence provide valid Entity ID copied from okta's Freshworks SAML app →Sign On→View Setup Instructions->Entity ID provided by the IdP and paste it in Freshworks  Security →Okta(Using SAML) app's Entity ID provided by the IdP field.



6. We're Sorry,but something went wrong.


When encrypted assertions is enabled at SP side and public key details are not provided at IDP side.



Solution: Make sure the public key field is not empty.


7.Error in Processing SAML Response.


 

Verify Encrypted assertions enabled for Freshworks → Security-> Okta (using SAML).

  • At Okta IDP,if Freshworks SAML app is being used,then disable encrypted assertions in Freshworks SSO Okta (using SAML).
  • At Okta IDP,if Generic SAML app is configured,then make sure public key is uploaded in SAML app.

Steps:

1. Download metadata from Freshworks SSO Okta (using SAML).

2. tag value is public key.

3. Okta supports public key with header and footer.So create new file with extn .pem or .cer with header and footer.  

Example:


-----BEGIN CERTIFICATE-----

MIIC4DCCAcigAwIBAgIIA2mtqKkFQzcwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE

Awwlc2VjdXJpdHlyZXZhbXAudGVzdDEuZnJlc2h3b3Jrc2FwaS5pbzAeFw0yMDEx

MDkxNDM1NTlaFw0zMDExMDkxNDM1NTlaMDAxLjAsBgNVBAMMJXNlY3VyaXR5cmV2

YW1wLnRlc3QxLmZyZXNod29ya3NhcGkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB

DwAwggEKAoIBAQDb+UnQu6x5TDX5rF5FH6QM5dIXD8x1zqKDxlWT7uHPYjmp6iQD

HT7KZssIrd4NwcgpPoszYtkSedu0TvqXOEAbUbYxSdKgL5RwuHAQk1MGYDqw7oM1

CKNOpu2SHdazTEeQrLXT9yL66xBmrhcPBXqNngS9sd+uID2DETfipOJgM48gUESA

GXjNt8sEUHfPq4gnTE77rbRSVWIq+s4cu2nldvYm8KRvnfeWvAMqfTXB72eBe4d8

qPS9dLLvmez7oMaojfarg8WZSCDKIEYZpmAcjwGdidUTvmYNbeKJTI5168DD7eEy

gY5pHVCLYQ/K03XNJeVO4cO1U6fp6KHYOkxfAgMBAAEwDQYJKoZIhvcNAQELBQAD

ggEBAFTVqQGirM6UTbwfWF27mn4N+J32xgFWL19PyMWaHpInq21Q2r/1Dlo95oqu

U65d3y3HtzzSternVVYIBYJRtX/3gTjpsNqIl3udpeeOZoM2OBO8kQItrgcf5MzD

mXpva4kUnpEKXop/8BOmg/DbzVYV6o0LT5wYS657WL6NrHGBF/FcQTh4Rl6oAqyy

02Mi33TRFyXJpDCTxEXNmQBHT4QdH1W4cQjJRLosToNe7KC8qgUzdumOKUwZTvu+

oI7Sl4fdz5sMhNr5+LeNh8kojj0SIKAb7bBjOcUFdLs1hlZfrS0NG4j7RB1X1I+T

1shX5k3Ht7LAI/TgZ1crtBppdqM=

-----END CERTIFICATE-----


4. Perform the below actions in IDP.   

  • General Settings →Show Advance Settings ->Enable Single Logout.
  • Assertion Encryption - Encrypted
  • Encryption Certificate - upload .cer/.pem file



8. Whitelabel Error Page (In IDP initiated Single logout: The Message of the Logout Requst is not signed and the SP requires it).



Solution:


  • At Okta IDP,if Freshworks SAML app is being used,then disable Single Logout option in Freshworks→Security -> Okta (using SAML).
  • At OKta IDP,if Generic SAML app is configured,then make sure both Sign SLO Request and Sign SLO Response are enabled in SAML app at IDP end.


9.Whitelabel Error Page(In SP initiated Single logout: The Message of the Logout Response is not signed and the SP requires it)



Solution:

  • At Okta IDP, if Freshworks SAML app is being used, then disable Single Logout option in Freshworks SSO Okta (using SAML).
  • At Okta IDP, if Generic SAML app is configured, then make sure both Sign SLO Request and Sign SLO Response are enabled in SAML app at IDP end.


 

10.{{UserEmail}} cannot be logged in as this user is not part of this organisation


Solution:

  • As the error says, this user is not part of the Organization. Therefore, verify whether this user email is already present within the same organization or not.
  • If the user is logging in with valid credentials from Azure and facing a login issue, then Verify the user presence in the Organisation within Okta(for contact). 
  • For agents, the same user email should be present as an agent inside Freshdesk as well.


11. Saml configuration error: invalid destination entity in the saml response. expected destination value: null



Solution:

Freshworks org domain should be configured correctly.


Domain should be in lower case