This page provides troubleshooting instructions for common errors during Security Assertion Markup Language (SAML) authentication.
If you come across an error message such as
Arf. Unknown User,
There are No Authn Mappings for this User,
Assertion could not be validated,
SAML NO HANDLE ERROR, or
No active account for a user, there may be an issue with your mappings configuration in Datadog or in your identity provider (IdP) configuration. See the error below to resolve.
There are no authn mappings for this user
There is a mismatch with your mappings configuration in Datadog and your configuration in your IdP. See Roles errors.
Assertion could not be validated
After enabling IdP initiated login in Datadog, the Assertion Consumer Service (ACS) URLs in your IdP configuration may be incorrect. Alternatively, your assertions may be unsigned. For more information, see Assertions and attributes.
SAML no handle error
Your assertion may be missing the required
eduPersonPrincipalName attribute. Confirm that this attribute is set in your configuration. For more information, see Assertions and attributes.
No active account for a user
This error can occur as a result of the following scenarios:
- If you’ve enabled Just-In-Time (JIT) provisioning, and a user still sees this error when trying to log in, check to see if you have already sent an email invitation to this user prior to enabling JIT. JIT does not apply to users who have already been invited. To resolve this, have the user accept the email invitation. Or, if the invitation has expired, have the admin send a new invitation.
- If a user is no longer enabled in a Datadog organization that has JIT provisioning enabled and they try to log in again through SAML and the
There is no active account for error occurs, re-enable the user in User settings.
If you are having trouble updating your IdP metadata file, verify that the metadata file you are trying to upload is valid.
To validate your metadata file:
- Choose a SAML validation tool, such as the SAML developer tool by OneLogin.
- Paste your metadata into the XML field and select Metadata in the XSD (schema file) field.
- Click Validate XML With the XSD Schema.
When mappings are enabled, users logging in with SAML to a Datadog account are stripped of their current roles and reassigned to new roles based on the details in their SAML assertion passed on from your IdP.
Users who log in with SAML and do not have the values that map to a Datadog role are stripped of all roles and are not allowed to log in.
If you have group mappings set and are not able to see your roles, your group mappings in the Datadog application may appear differently in your IdP. To verify:
- Retrieve your IdP’s SAML assertion for your account. Use browser tooling, such as extensions, to retrieve your SAML assertion. For example:
- Navigate to your profile and select Organization Settings in the bottom left corner of Datadog.
- Select SAML Group Mappings.
- Compare the attributes provided by your IdP in your SAML assertion to the attributes set in the SAML Group Mappings tab.
- Resolve any discrepancies in either the Datadog SAML Group Mappings settings, or within your IdP settings. For example, if
memberof is a set attribute in Datadog, and it’s
member_Of in your SAML assertion, resolve accordingly.
Discrepancies may occur when there is no match or a mismatch between the attribute key and value. For example, if you see a key value pair of
name_of_your_group_goes_here in SAML Group Mappings, you run into an issue because this pair is not included in the assertion sent over from your IdP.
If you are having trouble logging in because of a role-based error, contact your Administrator to complete the troubleshooting steps above.
Each IdP provides different types of attributes, and different ways to set attributes. For example, Azure uses object IDs for their attribute, or if you’re using Okta, you must set attributes in Okta settings. Reference your IdP’s attribute documentation for information.
When you disable SAML Group Mappings, users are allowed to log in with SAML and have the same roles they are assigned to—even if the group membership changed in your IdP.
Identity provider (IdP) errors
If you encounter an error coming from your IdP such as Google, Active Directory, Azure, LastPass, Okta, and more:
Identity provider certificates
If you are unable to log in to your account, an IdP certificate may have expired and rotated, prompting a general SAML error.
Some questions to ask yourself that can help narrow down whether you have a certificate issue:
- Are you the only account that is unable to log in? If the issue involves multiple accounts, it could be that an IdP-based certificate has expired or rotated.
- Did anything recently change in your SAML configuration?
- If your users are using multiple IdPs, are the issues persisting across multiple IdPs, or only one?
- Did you recently enable SAML Group Mappings?
To resolve, ensure IdP certificates are up-to-date within your IdP’s settings and that you have uploaded the most recent metadata file from your IdP in Datadog.
If you are still having trouble logging into Datadog, contact Datadog support.
In your message, provide a screen recording of your login process and include responses to the following questions:
- Are you the only account that is unable to log in or are all users unable to log in?
- Which organization are you trying to log in to and how are you trying to log in?
Before reaching out to Datadog support, contact your Administrator. You may need to also reach out your identity provider to resolve login issues.
Additional helpful documentation, links, and articles: