Troubleshooting SAML SSO Authentication

If you receive a SAML credentials error when logging in to InsightVM, such as The SAML Credentials are invalid., you can troubleshoot with the following criteria. For additional assistance, contact Rapid7 support.

Email addresses must match

The email address specified for a user in the selected identity provider must match (case-sensitive) the email address specified for the user in the InsightVM Security Console. You can check the user's email address in the InsightVM Security Console by going to Administration > User Management. There are multiple tools you can use to capture a SAML assertion response to verify the email address coming from the identity provider, including utilizing browser HTTP archive (HAR) analyzers or browser extensions.

When analyzing the SAML response, validate the NameID and emailAddress values, ensuring they match the User Account Email field in the Security Console. Here's an example NameID with email address in the output:

text
1
<saml2:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">FirstNameLastName@Domain.com</saml2:NameID>

ACS and Entity ID must be captured in the SAML response

In the SAML response, you should ensure the InsightVM Security Console Assertion Consumer Service (ACS) URL and Entity ID URL are correctly captured. The ACS URL is listed with the ResponseDestination field and the Entity ID URL is listed with the saml2:Audience field. For example:

  • ACS URL - <saml2p:ResponseDestination="https://ConsoleHostname.Domain:3780/saml/SSO">
  • Entity ID URL - <saml2:Audience>http://www.rapid7.com/nsc/console/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx</saml2:Audience>

Base Entity URL must be set up correctly

Verify your InsightVM Security Console Base Entity URL is set up correctly. The base entity URL should be set under the Security Console 2FA & Authentication page if your ACS URL is pointing to the server hostname or fully-qualified domain name (FQDN). You can determine what Base URL the console is initialized with by opening the nsc.log file in the the InsightVM server's logs directory (directory\rapid7\nexpose\nsc\logs) and run a search for Entity Base URL. The URL should be listed in the following format: https://<console-hostname>:<console-port>

Here's an example of an entry from the nsc.log file:

text
1
2024-09-26T19:10:14 [INFO] [Thread: Security Console] Setting IDP metadata, Entity id: http://rapid7.com/nsc/console/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx, Entity Base URL: https://ServerName.Rapid7.com:3780