Login failed due to missing SAML EPPN attribute

Overview

This article providers details about how to troubleshoot and resolve Single Sign On (SSO) login errors related to the Login failed due to missing SAML EPPN attribute error page.

Causes

This issue can happen for several reasons. The most common are fall under a couple of different categories.

No SAML EPPN Attribute Detected

We could not detect an eppn attribute in your session. Some common reasons that this might occur are:

  • Your organization is not releasing an eppn SAML attribute in outbound assertions.
  • Your account does not have a value for the identity system attribute which backs the eppn SAML attribute in outbound assertions.
  • Your organization is releasing SAML attributes to our service that are not formatted correctly, or cannot otherwise be parsed, such that they are ignored.
  • Your organization is not releasing any SAML attributes to our service in outbound assertions.

Unscoped SAML EPPN Attribute

Your organization is releasing unscoped, or not fully qualified with a domain, eppn attribute values. This means that values are coming through as john.doe (incorrect) instead of john.doe@example.com (correct). Our service requires scoped (fully qualified) eppn values. 

SAML EPPN Attribute With Rejected Scope

The eppn attribute value for your account has a scope (domain) that has not been allowed by this service. This causes the login to be rejected. For example, your username is being released as john.doe@mail.example.com, but your organization has instructed our service to only allow usernames with @example.com domains.

This can also occur if the scope (domain) of your eppn value is not consistently cased. For instance, an eppn value of john.doe@Example.com would not be matched against an allowed domain of example.com, causing the session to be rejected. It is highly recommended to transform eppn values outbound from your Identity Provider (IdP) to lowever case if at all possible. This eliminates inconsistent casing issues with scoped eppn values.

Resolution

A SAML assertion to our service should include an <AttributeStatement> section, with at least the required scoped eppn attribute included, that looks similar to the following. Note that urn:oid:1.3.6.1.4.1.5923.1.1.1.6 is the OID name string that corresponds to eppn. Supported attribute name formats are uri (preferred), basic or unspecified.

<AttributeStatement>

    <Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@example.com
        </AttributeValue>
    </Attribute>

    ... More SAML Attributes here as needed ...

<AttributeStatement>

Your home organization will need to identify why your account is missing an eppn (eduPersonPrincipalName) SAML attribute value and correct the issue. You can refer to the related Accepted SAML SSO Attributes article for more information about which SAML attributes our service requires, accepts, and the required formatting of these attributes.

Please contact your home organization's helpdesk and request assistance with this issue. Please include the entire contents of this page along with the details of your request.

If the issue is due to a scoped (fully qualified) eppn value being rejected, please use the related Contact Support service to request that the rejected domain be allowed for your organization's SSO metadata as appropriate.
100% helpful - 1 review
Print Article

Related Articles (1)

Accepted SAML SSO Attributes
The list of attributes and formats which TeamDynamix accepts for SAML 2.0 Single Sign On (SSO) authentication and self-registration processes.