New users get error: We could not sign you in. Please contact your Administrator

  • Mark Foster
    # 3 months, 1 week ago

    Hello! I would like help debugging an error: We could not sign you in. Please contact your Administrator. We are trying to setup an intranet site so we have the SSL Login Option “Redirect to IdP if user not logged in”. New users hit our landing page, then the SSO. The SSO then responds with a 200 OK and everything looks OK as far as I can tell from dev tools but when they hit cbitech.wpengine.com again and it responds with a 500 error. Retrying eventually works and the user’s account is created and they are logged in as a subscriber as expected. Any help debugging would be much appreciated! – Mark

    Kalpesh
    Keymaster
    # 3 months, 1 week ago

    Mark, Can you please share error logs from your Apache or PHP for 500 error you are getting so that we can get the exact issue.

    Mark Foster
    # 3 months, 1 week ago

    I dug into this a little more with our IT Ops folks. The problem is that our SSO is denying the request intermittently. The SAML response from our Oracle SSO when the 500 error shows up is “The AuthnRequest could not be validated”.

    After a bit more digging our IT Ops determine the time stamps on the requests are not consistent. Two requests one after another have two totally different time stamps (I.e. two request made seconds apart have time stamps of 2019-02-18T12:56:45Z and 2019-02-18T14:19:28Z). I suspect this may be an issue with our WP host so my question is, where exactly does miniOrange get the time from under the hood? Is it a PHP call to get the system time or something? Thanks!

    Mark Foster
    # 3 months ago

    I checked with my web host, WPEngine, and they assured me their servers are time synced to NTP servers so I don’t understand where the bad IssueInstant date/time stamp is coming from.

    Mark Foster
    # 3 months ago

    Did some more digging and figured out that miniOrange isn’t updating the IssueInstant frequently enough. I will hit over the course of several minutes and the saml request it sends to the idp is the same old time stamp to which the idp response with an error. After about 20 minutes it will update the IssueInstant, the idp will respond without error, and everything works. So now my question is, how do I get miniOrange to update the IssueInstant more frequently so it is not sending the same date/time stamp for IssueInstant in its SAML request to the idp for seems to be 15-20 minutes? Please help. This has been super frustrating and I have spent days on this issue now.

    Mark Foster
    # 3 months ago

    After even more digging I think miniOrange IS updating the IssueInstant timestamp and the problems is WPEngine caching the landing page. If do a force purge of all WPEngine caches when the problem is occurring, I can get an updated JavaScript with a new SAML request and timestamp.

    Now I am trying to figure out if miniOrange is setting content expiration through WP but WPEngine is ignoring it and caching anyway or is miniOrange not communicating that the page should expired quickly or not cached at all.

    Mark Foster
    # 3 months ago

    FYI, for anyone else that runs into this, confirmed this is an issue with WPEngine caching the landing page effectively rendering the SAML request embedded within by miniOrange stale. Using the WPEngine purge all button temporarily fixes problem (for a few minutes) otherwise it will intermittently fail when the cached SAML request is stale, and therefor rejected by the idp, and then suddenly work for a few minutes when you hit it right after the cached content expires and is refreshed. WPEngine will not lower the cache time on any of their shared instance plans because it would affect all their customers on that server (allegedly). This effectively breaks SSO in cases where the identity provider is checking the IssueInstant time stamp (probably most). I would NOT recommend WPEngine’s base plans if you need to do SAML SSO authentication. Any recommendations on good managed WordPress hosts? So frustrating.

    Kalpesh
    Keymaster
    # 3 months ago

    Hi Mark,

    Can you check with WPEngine if they allow to SKIP caching for specific URL.

    So that we can disable caching for the SSO endpoint which is generating IssueInstant.

    Kevin boger
    # 2 months, 2 weeks ago

    Our users get this error message every couple of months or so. Sometimes it says the SSL certificates don’t match with Azure SSO. But when I update the federation url, it imports the cert data and starts working again.

    Has there been a resolution for this?

    Kalpesh
    Keymaster
    # 2 months, 2 weeks ago

    Hi Kevin,

    Yes, IDPs like Azure AD change their certificates over a certain period of time for security reasons, so the plugin needs to be updated again. You can fix this by configuring the refresh metadata in the plugin

    In the Upload IDP metadata section of the plugin, there is a feature using which you can sync the plugin configuration with the IDP metadata after every specific time interval.

    Please follow the steps below to refresh the IDP metadata periodically.
    1. Go to Service Provider tab of the plugin and click on the Upload IDP Metadata button.
    2. Provide your IDP metadata URL in the provided textbox for URL.
    3. Enable the Update IdP settings by pinging metadata URL checkbox.
    4. From the given dropdown menu, select how often you want to sync the plugin configuration with the IDP metadata.
    5. Finally, click on the Fetch Metadata button.

    Let me know if that works.

Viewing 10 posts - 1 through 10 (of 10 total)

Reply