How to troubleshot SAML Single Sign-On (SSO) using the SAML Trace in Archer
Product Set: Archer Product/Service Type: Archer (On-Premise)/ Archer (SaaS) Version/Condition: 6.6 later Platform: Windows Server 2012 R2/ Windows Server 2016/ Windows Server 2019 Component/s:Troubleshooting SAML SSO
With the SAML 2.0 Single Sign-On (SSO) integration with Archer, the Archer platform can now generate requests and process SAML assertions natively. If the users exist in your IdP (Identity Provider), then the SAML user provisioning can automatically create the users in Archer. SAML supports user profile, group membership, and role assignment updates via SSO.
You may get a SAML case from a customer either on-premise or SaaS/Hosted that is relating to the group membership issue.
To troubleshoot this issue, you can use the SAML trace plug-in tools, and currently, there are a lot of SAML trace tools available. Chrome has some SAML trace tools, and you can try them.
You can use the "SAML-tracer" tool for viewing SAML and WS-Federation messages sent through the browser during single sign-on and single logout. You can download SAML-tracer.
Install the "SAML-tracer" tool on Chrome.
On Chrome under the Extension startup the "SAML-tracer" tool
Then ask the user to login to Archer and the SAML trace will start recording the session while the user is loading the Archer pages. The session can be export as Json file, and the customer can send the Json file to the Archer support and you can use the "SAML-tracer" tool to import the Json trace file and view it for troubleshooting purposes.
The below SAML trace shows when the user logged in to the RSA APJ SaaS environment.
Another example when a user logged in to the RSA SaaS APJ and as you can see below under the "Summary" you will see the attributes Claims (First Name, Last Name, Group, User Domain, Email Address) that are passed. So for instance, if a specific group is not passed you can show this to the customer so they can fix this from their end.