This could indicate there is a mismatch between the Recipient and Destination URLs. Check in the SAML response XML if Recipient and Destination URL's match. When it does not match it should be configured in your SAML provider.

The URL in the configuration file is probaby incorrect. Check your wbe.config.yml file and look at the app.url variable. That should match the domain that is used to access WriteBackExtreme

The return url that ends with auth/saml/login-return is probably not added to the Assertion Consumer Service URLs in your SSO provider

• Check if the user that is trying to login has permissions to view the management console. He should be either admin or have at least one role attached. And he should not be blocked

• Check the logs in the management console. (Info & License->System Logs, click the log of that specific day) Maybe there is a clue stored in there.

• Check the attributes in your IDP provider. The username should match the username that you have in the management console.

This problem occures/happends, because of the way how the session authentication method (SAML AuthnRequest) is configured on the other SSO app. WritebackExtreme by defaults use “Password, ProtectedTransport” as request authentication method.

Solution

We have added a configuration variable to allow all options, but allow any cross request authentication method. Within the wbe.config.yaml file set the following variable to not strictly check on the cross request authentication method:

  env:
    portal:
      saml:
        requested_auth: false