Troubleshooting

SAML Certificate Mismatch

Symptom: SAML authentication fails with a certificate validation error after configuring PingFederate. The MCM server rejects the incoming SAML assertion even though the configuration appears correct.

Cause

The IDP_CERT.cert uploaded to MCM does not match the signing certificate that PingFederate is using to sign SAML assertions. This can occur when:

The PingFederate signing certificate was rotated after the initial setup. The wrong certificate was downloaded or uploaded during configuration. Multiple signing certificates exist in PingFederate and the incorrect one was exported.

Resolution

Step 1: Use the following steps to compare the certificate embedded in a live SAML assertion against the certificate stored on the MCM server.

Capture the SAML response from the browser:
1. Open the browser's developer tools (F12) and navigate to the Network tab.
2. Attempt a SAML login to trigger an authentication flow.
3. In the Network tab, locate the POST request to:https://%3CMCM_SERVER_FQDN%3E/enrollment/saml/callback
4. In the request Form Data or Payload, copy the value of the SAMLResponse parameter. This is the Base64-encoded SAML assertion.
Extract and inspect the certificate from the SAML response: Run the following command on any Linux shell, replacing <base64-saml-response> with the copied value:
```
echo "<base64-saml-response>" | base64 -d | grep -o '<ds:X509Certificate>[^<]*' | head -1 \
  | sed 's/<ds:X509Certificate>//' | base64 -d | openssl x509 -inform der -noout -serial -dates -subject
```
This outputs the serial number, validity dates, and subject of the certificate that PingFederate used to sign the assertion.
Inspect the certificate stored on the MCM server: Run the following command on the MCM server:
```
openssl x509 -in /var/opt/BESUEM/certs/IDP_CERT.cert -noout -serial -dates -subject
```

Compare the output: The serial value from both commands must match. Example of a matching output:

serial=1A2B3C4D5E6F...
notBefore=Jan  1 00:00:00 2024 GMT
notAfter=Jan  1 00:00:00 2026 GMT
subject=CN=PingFederate, O=Example Corp


Field	Expected
serial	Must be identical in both outputs
subject	Should match
notAfter	Must not be expired

Resolve mismatch: If the serial numbers differ:
1. Download the current signing certificate from PingFederate (see Step 5: Download IDP_CERT.cert from PingFederate Server).
2. Navigate to MCM WebUI > Admin > MDM Servers > Manage Capability > Identity Service Configuration.
3. Re-upload the correct IDP_CERT.cert under SAML Identity Provider Certificate.
  Save the configuration and retry the login.
Note: If “notAfter“ in the MCM-stored certificate has passed but the SAML response certificate is still valid, the certificate on the MCM server is stale. Re-upload the current certificate from PingFederate to resolve the issue.

Step 2: Verify the SAML Response Structure

: When SAML authentication fails, inspecting the raw SAML response XML helps verify that PingFederate is generating an assertion that conforms to what MCM expects. The following procedure shows how to decode and examine the SAML response directly from the browser.

Capture the raw SAMLResponse:
1. Open the browser's developer tools (F12) and go to the Network tab.
2. Attempt a SAML login.
3. Locate the POST request to: https://%3CMCM_SERVER_FQDN%3E/enrollment/saml/callback
4. In the Form Data / Payload section, copy the SAMLResponse value.
Decode and inspect the XML: Run the following command to decode the Base64-encoded response into readable XML alternatively you can use online tools
```
echo "<base64-saml-response>" | base64 -d
```

Verify the key fields in the XML: The decoded XML should follow this structure. Use it as a reference to verify each field:

<samlp:Response Version="2.0" ID="rTZShkWEVHqDzosU4OfWhJhNMl_" IssueInstant="2025-11-20T08:56:02.743Z"
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

	
	<saml:Issuer
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">INSERT YOUR ISSUER DETAILS HERE</saml:Issuer>

	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>

	<saml:Assertion ID="nZmCvwrfc8R-2.2vtz58xBU2wYP" IssueInstant="2025-11-20T08:56:02.748Z" Version="2.0"
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

		
		<saml:Issuer>INSERT YOUR ISSUER DETAILS HERE</saml:Issuer>

		<ds:Signature
			xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
				<ds:Reference URI="#nZmCvwrfc8R-2.2vtz58xBU2wYP">
					<ds:Transforms>
						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
					<ds:DigestValue>INSERT YOUR DETAILS HERE</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>INSERT YOUR DETAILS HERE</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>INSERT YOUR DETAILS HERE</ds:X509Certificate>
				</ds:X509Data>
				<ds:KeyValue>
					<ds:RSAKeyValue>
						<ds:Modulus>INSERT YOUR DETAILS HERE</ds:Modulus>
						<ds:Exponent>AQAB</ds:Exponent>
					</ds:RSAKeyValue>
				</ds:KeyValue>
			</ds:KeyInfo>
		</ds:Signature>

		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">INSERT YOUR DETAILS HERE</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData Recipient="https://MCM_SERVER_FQDN/enrollment/saml/callback" NotOnOrAfter="2025-11-20T09:01:02.748Z"/>
			</saml:SubjectConfirmation>
		</saml:Subject>

		<saml:Conditions NotBefore="2025-11-20T08:51:02.748Z" NotOnOrAfter="2025-11-20T09:01:02.748Z">
			<saml:AudienceRestriction>
				<saml:Audience>INSERT YOUR DETAILS HERE</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>

		<saml:AuthnStatement SessionIndex="nZmCvwrfc8R-2.2vtz58xBU2wYP" AuthnInstant="2025-11-20T08:56:02.747Z">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>

	</saml:Assertion>
</samlp:Response>