SAML troubleshooting: Capture an assertion
During a SAML sign-in, the browser, the service provider (SP, also known as Smartsheet), and the identity provider (IdP, this might be Okta, Azure, OneLogin, etc.) make several requests and responses to each other. One of those requests includes the assertion in which the IdP tells the SP information about the user logging in (509certificate, persistent ID aka IdP unique identifier, and email address aka Smartsheet unique identifier).
What is an assertion?
An assertion is information passed from the IdP to Smartsheet or Resource Management. The assertion contains the authentication information Smartsheet needs to verify the right person is logging into the account. When users are having issues logging in or trouble setting up SAML, reviewing assertions can help troubleshoot what's wrong.
In response to the assertion, Smartsheet will respond with, "Yes your certificate is valid and you have a valid persistent ID and email address, so you may log in." Or it may say, "No, your certificate is invalid (not secure) or you don't have the expected persistent ID or email address. Your login failed. This error might tell you what's broken."
These instructions tell you how to capture the assertion. Follow them carefully, save the file, and analyze the assertion using the guidelines in this article.
To capture an assertion
- Close all incognito windows and then, open a new incognito window in Google Chrome. Select the upper-right Chrome menu > New Incognito Window to start with a fresh browser.
- Click the upper-right Chrome menu > More Tools > Developer Tools.
- Open the Network tab and check the box for Preserve Log.
- Browse to: https://app.smartsheet.com/b/home (or https://rm.smartsheet.com/ if troubleshooting Resource Management)
- Enter your email address in the box and click continue.
- If you're redirected to log in with your company credentials, go to step 7.
- If not, at the bottom of the screen a grey button labeled Your Company Account should appear. Click the Your Company Account button and log in with your company credentials.
- Provide your credentials to authenticate to your company's SSO system. This should reproduce the error.
- Select the Network tab at the top of the Developer Tools, and search for POST in the Filter field (or 'acs' for Resource Management).
- Select the POST result under Name (or 'acs' for Resource Management) and then select the Payload tab to the right. Scroll down and review the SAMLResponse in the Form Data section. This is an encoded assertion.
- Select all of the SAMLResponse, make sure to copy it in its entirety as it is a long section of text.
- Copy this encoded assertion, and browse to: https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp
- Paste the encoded assertion message into the box under SAML Request, select the POST option below it, and click the decode button.
- Select XML View.
- Save the file. You can now determine if there are errors or missing information. See Identify issues in a SAML assertion to learn what to look for.