Troubleshooting SAML SSO Authentication
If you receive a SAML credentials error when logging in to InsightVM, such as The SAML Credentials are invalid.
, you can troubleshoot with the following criteria. For additional assistance, contact Rapid7 support.
Email addresses must match
The email address specified for a user in the selected identity provider must match (case-sensitive) the email address specified for the user in the InsightVM Security Console. You can check the user's email address in the InsightVM Security Console by going to Administration > User Management. There are multiple tools you can use to capture a SAML assertion response to verify the email address coming from the identity provider, including utilizing browser HTTP archive (HAR) analyzers or browser extensions.
When analyzing the SAML response, validate the NameID
and emailAddress
values, ensuring they match the User Account Email field in the Security Console. Here's an example NameID
with email address in the output:
text
1<saml2:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">FirstNameLastName@Domain.com</saml2:NameID>
ACS and Entity ID must be captured in the SAML response
In the SAML response, you should ensure the InsightVM Security Console Assertion Consumer Service (ACS) URL and Entity ID URL are correctly captured. The ACS URL is listed with the ResponseDestination
field and the Entity ID URL is listed with the saml2:Audience
field. For example:
- ACS URL -
<saml2p:ResponseDestination="https://ConsoleHostname.Domain:3780/saml/SSO">
- Entity ID URL -
<saml2:Audience>http://www.rapid7.com/nsc/console/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx</saml2:Audience>
Base Entity URL must be set up correctly
Verify your InsightVM Security Console Base Entity URL is set up correctly. The base entity URL should be set under the Security Console 2FA & Authentication page if your ACS URL is pointing to the server hostname or fully-qualified domain name (FQDN). You can determine what Base URL the console is initialized with by opening the nsc.log
file in the the InsightVM server's logs directory (directory\rapid7\nexpose\nsc\logs
) and run a search for Entity Base URL
. The URL should be listed in the following format: https://<console-hostname>:<console-port>
Here's an example of an entry from the nsc.log
file:
text
12024-09-26T19:10:14 [INFO] [Thread: Security Console] Setting IDP metadata, Entity id: http://rapid7.com/nsc/console/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx, Entity Base URL: https://ServerName.Rapid7.com:3780