SAML single sign-on for Gemfury βeta

Troubleshooting SAML SSO

Common issues and solutions for SAML authentication.

Error Messages

Error Cause Solution
Unauthorized Provider not active Contact support to activate your provider
Login expired Session timeout or clock drift Re-initiate SAML login; check server time sync
Invalid credentials Assertion validation failed See detailed causes below
Invalid Credentials — Detailed Causes

This error indicates SAML assertion validation failed. Check these items in order:

  1. Unsigned assertion — Assertions must be signed. Verify signing is enabled in your IdP (see IdP Configuration)
  2. Signature algorithm mismatch — Gemfury supports SHA-256. If your IdP uses SHA-1, update to SHA-256
  3. Expired assertion — Assertion timestamp outside validity window. Check clock synchronization
  4. Audience mismatch — Entity ID in IdP doesn’t match https://manage.fury.io/auth/saml/PROVIDER_ID
  5. Missing email attribute — Assertion must include email attribute
  6. Name ID format mismatch — Verify Name ID format matches your Gemfury configuration
  7. Certificate mismatch — IdP certificate was rotated but metadata wasn’t updated in Gemfury

Configuration Issues

Assertions Not Signed

Gemfury requires signed SAML assertions. In your IdP settings, enable:

  • Sign SAML Response
  • Sign SAML Assertion
Certificate Mismatch

If your IdP certificate was rotated:

  1. Download new metadata XML from your IdP
  2. Update the metadata in Gemfury SSO settings
  3. Submit for reactivation
Wrong ACS URL or Entity ID

Verify exact match (case-sensitive):

ACS URL:    https://manage.fury.io/auth/saml/PROVIDER_ID/callback
Entity ID:  https://manage.fury.io/auth/saml/PROVIDER_ID
Missing Email Attribute

Ensure your IdP sends the email attribute in the SAML response. Check attribute mapping in your IdP configuration.

Clock Drift

A SAML assertion has a time validity window. If authentication fails intermittently, verify that your IdP server time is correct (i.e. NTP-synchronized) and check for possible clock skew between IdP and the rest of your infrastructure.

Debugging Steps

  1. Check IdP logs for the SAML response sent
  2. Verify ACS URL and Entity ID match exactly
  3. Confirm email attribute is included
  4. Ensure assertions are signed

Limitations

This system is still under active development. At this time, it’s limited as follows:

  • One SAML provider per organization
  • No Single Logout (SLO) support
  • No SCIM provisioning — deprovisioning is manual
  • Group mapping sets roles at provisioning only — ongoing sync is not supported
  • No SP metadata endpoint — manual IdP configuration required

Getting Help

Contact support via your Dashboard with:

  • Your organization name
  • Identity Provider name
  • IdP configuration screenshots (redact secrets)
  • Error messages