Fatal Profile Exception Errors

Cause

• NameID field getting passed in assertion is blank

Resolution

• Capture and analyze an assertion.
• Make sure the claimes are set up correctly.
• Partner with IdP Admin to verify NameID field is set up correctly.

Cause

If you get this error after clicking "Your Company Account" and do not  get redirected to the IdP SSO page, it's possible the IdP metadata entered in SAML settings > Edit IdP > IdP Metadata includes an expired validUntil value.

Smartsheet (the service provider) may be unable to communicate with your Identity Provider. This may be a firewall issue or other network issue that prevents Smartsheet from reaching the URL endpoint in "Unable to locate metadata for identity provider (<insert URL here>)."

It's also possible that the URL is incorrect.

Resolution

To identify if there is an invalid validUntil value, work with your IdP admin to review your metadata. 

Use CTRL+F to search for “validUntil”. If there is a validUntil value, and the date for that value is in the past, then you will need to modify your IdP metadata and remove that element. You may be able to go to Smartsheet > SAML settings > Edit IdP > IdP Metadata to remove the element.

To resolve this error, Smartsheet needs to be able to connect with the Identity Provider during the sign-in process, and the endpoint/URL that Smartsheet calls must contain the IdP metadata.

Cause

Your metadata isn't accessible or can't be validated.

• The 509Certificate value in the assertion does not match the 509Certificate value in the IdP metadata saved in Smartsheet 

Resolution

Unfortunately, this error can be caused by many different scenarios. Here are a couple of things to check:

• Capture and analyze an assertion.
• Check certificates and metadata for the org.
• Check metadata for both (Persistent ID/NameID) and (EmailAddress).
• If the 509Certificate value in the assertion does not match what you see saved in the IdP metadata, you will need to get new metadata from their IdP so you can update it in Smartsheet.

Cause

• Stored browser settings could be blocking
• Metadata pipeline could be blocked

Resolution

• Clear cache and cookies or try an in-private or incognito browser session.
• Reach out to Smartsheet Support for further investigation.

Cause

• Stored setting in browser
• Certificate has expired or rolled over to new one
• Certificate is using SHA1

Resolution

• Clear cache and cookies
• Determine if the certificate was replaced recently. If so, update your metadata in Smartsheet.
• Upgrade to use the suggested SHA256 certificate.

Cause

• The user's profile in the IdP profile isn't fully provisioned yet

Resolution

• Clear cache and cookies or try an in-private or incognito browser session.
• Capture and analyze an assertion.
• Work with the IdP administrator to confirm the user is completely set up. Comparing the affected user to a working user can be helpful in understanding this issue. 

Cause

• Stored setting in browser
• Change in certificates in the IdP configuration without an update in Smartsheet
• Required claims are not present in assertion or in an incorrect format

Resolution

• Clear cache and cookies
• Work with your IdP Admin to ensure no changes have occurred. If there have been changes, update your metadata in Smartsheet.
• Capture and analyze an assertion.

Cause

• This is most likely an IdP error. When a SAML message is addressed to a location inconsistent with where the SP believes it's running, this error will be thrown. The SP pulls much of this information from the web environment.

Resolution

• Work with your IdP admin to review your metadata and make sure the ACS URL is correct.
• Compare your customer's metadata to what is in Smartsheet. Re-add the metadata directly from your IdP as needed to make sure you have the most up-to-date version in the app.
• Review the Shibboleth Wiki.