Common issues and solutions for SAML authentication.
Error Messages
| Error | Cause | Solution |
|---|---|---|
| Unauthorized | Provider not active | Contact support to activate your provider |
| Login expired | Session timeout or clock drift | Re-initiate SAML login; check server time sync |
| Invalid credentials | Assertion validation failed | See detailed causes below |
Invalid Credentials — Detailed Causes
This error indicates SAML assertion validation failed. Check these items in order:
- Unsigned assertion — Assertions must be signed. Verify signing is enabled in your IdP (see IdP Configuration)
- Signature algorithm mismatch — Gemfury supports SHA-256. If your IdP uses SHA-1, update to SHA-256
- Expired assertion — Assertion timestamp outside validity window. Check clock synchronization
-
Audience mismatch — Entity ID in IdP doesn’t match
https://manage.fury.io/auth/saml/PROVIDER_ID -
Missing email attribute — Assertion must include
emailattribute - Name ID format mismatch — Verify Name ID format matches your Gemfury configuration
-
Unsupported Name ID format — Only
emailAddress,persistent, andunspecifiedformats are accepted; others (e.g.transient) are rejected - Certificate mismatch — IdP certificate was rotated but metadata wasn’t updated in Gemfury
Configuration Issues
Assertions Not Signed
Gemfury requires signed SAML assertions. In your IdP settings, enable:
- Sign SAML Response
- Sign SAML Assertion
Certificate Mismatch
If your IdP certificate was rotated:
- Download new metadata XML from your IdP
- Update the metadata in Gemfury SSO settings
- Submit for reactivation
Wrong ACS URL or Entity ID
Verify exact match (case-sensitive):
ACS URL: https://manage.fury.io/auth/saml/PROVIDER_ID/callback
Entity ID: https://manage.fury.io/auth/saml/PROVIDER_ID
Missing Email Attribute
Ensure your IdP sends the email attribute in the SAML response. Check attribute mapping in your
IdP configuration.
Members Unexpectedly Downgraded
If members drop to the default role after logging in, check that your IdP still
sends the multi-valued groups attribute (named exactly groups) and that the
group names match your mapping keys exactly (case-sensitive). A
missing or misnamed attribute is ignored and leaves the role unchanged, but a
claim whose groups match no mapping key resolves to the default role.
Clock Drift
A SAML assertion has a time validity window. If authentication fails intermittently, verify that your IdP server time is correct (i.e. NTP-synchronized) and check for possible clock skew between IdP and the rest of your infrastructure.
Debugging Steps
- Check IdP logs for the SAML response sent
- Verify ACS URL and Entity ID match exactly
- Confirm email attribute is included
- Ensure assertions are signed
Limitations
This system is still under active development. At this time, it’s limited as follows:
- One SAML provider per organization
- No Single Logout (SLO) support
- Group mapping re-syncs roles on every login, but SAML cannot revoke access in real time — use SCIM or remove the membership to fully deprovision
- IdP metadata must be pasted as XML — metadata-URL import and auto-refresh are not supported
Getting Help
Contact support via your Dashboard with:
- Your organization name
- Identity Provider name
- IdP configuration screenshots (redact secrets)
- Error messages