SAML single sign-on for Gemfury βeta

Troubleshooting SAML SSO

Common issues and solutions for SAML authentication.

Error Messages

Error Cause Solution
Unauthorized Provider not active Contact support to activate your provider
Login expired Session timeout or clock drift Re-initiate SAML login; check server time sync
Invalid credentials Assertion validation failed See detailed causes below
Invalid Credentials — Detailed Causes

This error indicates SAML assertion validation failed. Check these items in order:

  1. Unsigned assertion — Assertions must be signed. Verify signing is enabled in your IdP (see IdP Configuration)
  2. Signature algorithm mismatch — Gemfury supports SHA-256. If your IdP uses SHA-1, update to SHA-256
  3. Expired assertion — Assertion timestamp outside validity window. Check clock synchronization
  4. Audience mismatch — Entity ID in IdP doesn’t match https://manage.fury.io/auth/saml/PROVIDER_ID
  5. Missing email attribute — Assertion must include email attribute
  6. Name ID format mismatch — Verify Name ID format matches your Gemfury configuration
  7. Unsupported Name ID format — Only emailAddress, persistent, and unspecified formats are accepted; others (e.g. transient) are rejected
  8. Certificate mismatch — IdP certificate was rotated but metadata wasn’t updated in Gemfury

Configuration Issues

Assertions Not Signed

Gemfury requires signed SAML assertions. In your IdP settings, enable:

  • Sign SAML Response
  • Sign SAML Assertion
Certificate Mismatch

If your IdP certificate was rotated:

  1. Download new metadata XML from your IdP
  2. Update the metadata in Gemfury SSO settings
  3. Submit for reactivation
Wrong ACS URL or Entity ID

Verify exact match (case-sensitive):

ACS URL:    https://manage.fury.io/auth/saml/PROVIDER_ID/callback
Entity ID:  https://manage.fury.io/auth/saml/PROVIDER_ID
Missing Email Attribute

Ensure your IdP sends the email attribute in the SAML response. Check attribute mapping in your IdP configuration.

Members Unexpectedly Downgraded

If members drop to the default role after logging in, check that your IdP still sends the multi-valued groups attribute (named exactly groups) and that the group names match your mapping keys exactly (case-sensitive). A missing or misnamed attribute is ignored and leaves the role unchanged, but a claim whose groups match no mapping key resolves to the default role.

Clock Drift

A SAML assertion has a time validity window. If authentication fails intermittently, verify that your IdP server time is correct (i.e. NTP-synchronized) and check for possible clock skew between IdP and the rest of your infrastructure.

Debugging Steps

  1. Check IdP logs for the SAML response sent
  2. Verify ACS URL and Entity ID match exactly
  3. Confirm email attribute is included
  4. Ensure assertions are signed

Limitations

This system is still under active development. At this time, it’s limited as follows:

  • One SAML provider per organization
  • No Single Logout (SLO) support
  • Group mapping re-syncs roles on every login, but SAML cannot revoke access in real time — use SCIM or remove the membership to fully deprovision
  • IdP metadata must be pasted as XML — metadata-URL import and auto-refresh are not supported

Getting Help

Contact support via your Dashboard with:

  • Your organization name
  • Identity Provider name
  • IdP configuration screenshots (redact secrets)
  • Error messages