Skip to main content

Please log into UltraDNS for full Help Center and Community access

Troubleshoot UltraDNS SAML Login and Authentication Issues

Updated

This article explains how to troubleshoot UltraDNS SAML login and authentication issues, including login failures, ForgeRock error pages, Missing Attributes errors, and failed SAML user mapping.

Symptoms

  • Unable to log in to UltraDNS using SAML Single Sign-On (SSO).
  • A ForgeRock error page is displayed during or after login.
  • A Missing Attributes error page is displayed.
  • Authentication succeeds at the Identity Provider but fails when redirected to UltraDNS.
  • The SAML user is not created or mapped correctly during login.

Before You Begin

  • Email addresses must be unique across all UltraDNS users associated with the account.
    • Duplicate email addresses can prevent successful SAML user mapping and login.
    • Using the same email address for an API-only user and a SAML user can create authentication conflicts.
  • Review the UltraDNS SAML Quick Start Guide before requesting a troubleshooting call.
  • Check your metadata, certificates, NameID format, attributes, and user mappings.
  • Customers should have an Identity Provider administrator available during troubleshooting and testing.
  • If a troubleshooting call is required, availability will be coordinated through your support case.

Understand Where SAML Authentication Occurs

SAML authentication is performed by your Identity Provider (IdP). 

UltraDNS receives and validates the SAML assertion after authentication is completed.

UltraDNS Support can assist with assertion validation, metadata processing, user mapping, and UltraDNS-side SAML configuration issues.

UltraDNS Support cannot administer or configure your Identity Provider. 

If troubleshooting identifies an issue with IdP configuration, certificates, claims mapping, authentication policies, or user provisioning, contact your IdP administrator or IdP vendor for assistance.

Information Required by UltraDNS Support

If you are experiencing a SAML login failure, provide the following information when opening a support request.

  1. Confirm only one active signing certificate is configured within the Identity Provider for the UltraDNS SAML application.
  2. Provide the username or email address used during the SAML login attempt.
  3. Provide a complete screenshot of the error message, including the browser address bar and URL.
  4. Provide the SAML Response XML.
    • Capture the SAML Response using the SAML-tracer extension for Firefox or the SAML Message Decoder extension for Chrome.
    • If possible, provide only the SAML Response portion instead of the full browser trace.
  5. Provide the current Identity Provider metadata XML file.
  6. Provide the approximate date, time, and time zone of the failed login attempt.

  7. Confirm the configured Assertion Consumer Service (ACS) URL:

    https://amsso.ultradns.com/neusso/Consumer/metaAlias/NSSRealm/nss-sp 

  8. Confirm the configured Service Provider (SP) Entity ID:

    nss-sp-hosted

  9. Confirm the configured NameID Format matches the value selected during UltraDNS SAML setup.
    • A mismatch between the configured NameID format and the UltraDNS SAML configuration can prevent successful authentication.
  10. If the SAML assertion appears empty or unreadable when reviewed in SAML tracing tools, check whether assertion encryption is enabled.
    • UltraDNS does not support encrypted SAML assertions.
    • Disable assertion encryption and test again.
  11. Check that all mandatory UltraDNS SAML attributes are present in the SAML assertion.
    • The required attributes are givenname, sn, and mail.
    • Attribute names are case-sensitive and must be configured exactly as shown.
    • Attributes must be lowercase.
    • Attributes must not contain prefixes.
    • Each attribute must contain a non-empty value.
    • Missing or blank attributes can result in a Missing Attributes error page.

Required SAML Attributes

  • givenname - First name of the authenticated user.
  • sn - Last name or surname of the authenticated user.
  • mail - Email address of the authenticated user.

The attributes should appear in the SAML Response using the exact attribute names shown below:

<saml:Attribute Name="givenname">
<saml:Attribute Name="sn">
<saml:Attribute Name="mail">

Expected Outcome

After the SAML configuration is corrected, users should be able to authenticate through the Identity Provider and access UltraDNS using SAML SSO.

Providing the information above when opening a support request helps UltraDNS Support identify configuration, assertion, metadata, and user mapping issues more quickly.gi

Contact UltraDNS Support

To contact UltraDNS Support, use the Support Portal link located within the UltraDNS portal and submit a support request.

Related to

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles