<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jfGSAROkta Classic EngineOkta Integration NetworkAnswered2024-04-30T09:18:25.000Z2016-07-29T17:24:18.000Z2018-08-12T04:14:32.000Z

j5v7c (j5v7c) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Debug Okta 400 Bad Request GENERAL_NONSUCCESS
I wanted to check if there are additional ways on Okta admin dashboard or via Okta customer support to find out what exactly caused 400 error. In our case, exactly one user is failing sso and resulting in 400 bad request which points to bad data from our partner. 
  • does okta logs posted saml request in case of 400 errrors?
  • If yes, how can we see it in okta admin dashboard or can we request it offline
  • 3 answers
  • 24.93K views

  • james.flores1.4616875318781074E12 (Okta, Inc.)

    Hi Sunil,

     

    You can view the SAML assersion being sent when the user clicks a chiclet by using the SAML tracer too in Firefox. Chrome too has a SAML tracer web extention, you can find it in the Chrome Store by searching "SAML Message Decoder." Below are instructions on how to use the Firefox version: 
    1. A SAML trace can be performed in Mozilla Fire Fox using the SAML tracer browser extension https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
    2. Install the browser extension, open it and then click the app in question chiclet from the Okta dashboard (In Firefox)
    3. After clicking the chiclet the SAML tracer will fill with data
    4. In the SAML tracer, click the entry highlighted with the word "SAML" on the right
    5. In the bottom portion of the SAML tracer you will see 3 sections (tabs), http, Parameters,  and SAML
     This will help you see what data is being sent to the SP. If this does not help, submit a support ticket with the SAML trace and we can take a look on the back end and see what else could be causing the 400 error. In this case too, since the SP is returning the 400 error their logs should reflect the attemtped request that resulted in a 400 error and hopfully shed some light as to why the 400 was generated.
    Expand Post
    Selected as Best

  • james.flores1.4616875318781074E12 (Okta, Inc.)

    Hi Sunil,

     

    You can view the SAML assersion being sent when the user clicks a chiclet by using the SAML tracer too in Firefox. Chrome too has a SAML tracer web extention, you can find it in the Chrome Store by searching "SAML Message Decoder." Below are instructions on how to use the Firefox version: 
    1. A SAML trace can be performed in Mozilla Fire Fox using the SAML tracer browser extension https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
    2. Install the browser extension, open it and then click the app in question chiclet from the Okta dashboard (In Firefox)
    3. After clicking the chiclet the SAML tracer will fill with data
    4. In the SAML tracer, click the entry highlighted with the word "SAML" on the right
    5. In the bottom portion of the SAML tracer you will see 3 sections (tabs), http, Parameters,  and SAML
     This will help you see what data is being sent to the SP. If this does not help, submit a support ticket with the SAML trace and we can take a look on the back end and see what else could be causing the 400 error. In this case too, since the SP is returning the 400 error their logs should reflect the attemtped request that resulted in a 400 error and hopfully shed some light as to why the 400 was generated.
    Expand Post
    Selected as Best

  • j5v7c (j5v7c)

    Since our partner user was facing the issue, we could not have tried saml tracer. Typical flow is partner -> partner's 3rd party SSO system -> Okta hub.

     

    What helped us was the system logs on admin dashboard. We saw "user creation failure" errors and able to pin point that it was partner's 3rd party sso system which was not sending us mandatory attributes like firstName, last Name for that user versus it was sending accuare data for everyone else.

     

    Error was something like this

     

    firstName field failed validation with value 'null': The field cannot be left blank.lastName field failed validation with value 'null': The field cannot be left blank
    Expand Post

  • j5v7c (j5v7c)

    Hi James,

     

    However it isn't possible to decrypt EncryptedAssertion with browser addons. Got anything to deal with this in okta?
This question is closed.
Loading
Debug Okta 400 Bad Request GENERAL_NONSUCCESS