If a user is complaining that they are no longer able to access Kahuna through SSO, there are steps that can be taken to ensure that the data within Kahuna matches the SSO authentication. (Note Ensure the user has access to Chrome browser, in order to get access to the SAML Response code, for translation)
- Screen Sharing with affected User
- Request Keyboard/Mouse Access of User
- Within the web browser, access the developer tools:
- For Chrome , pressing F12 on the keyboard will open the tools
- Alternatively, select the 3 vertical dots in the upper right hand corner > 'More Tools' > 'Developer Tools'
- Within the developer tools, there are a list of 'tabs', you want to ensure you select the 'Network' tab
- In Chrome select the check box that states 'Preserve Log'
- The purpose of this selection is to ensure that the network log remains, even after navigating to different pages
- Navigate to Kahuna login through SSO, whether typing the URL or through a Portal link.
- Allow the process to complete, once it does, within the Network tab, look for a line item that says 'Post'
- Click the 'Post' line item
- To the right of the Post line, there will be a view of extra data, ensure that the 'Headers' tab is selected
- Navigate down until you see a section that says 'Form Data'
- Copy everything in that section under 'SAMLResponse:' (Note, it will be a large block of ineligible text)
- The SAML Response is a base 64 coded block of text; to view the content, it needs to be decoded.
- There are several online sites that will perform that action, the one I use is https://www.samltool.com/decode.php, another that functions the same is http://base64decode.net/
- Once you have the saml responses copied, save it into a document.
- You might have to email it to yourself, since it is larger than most screen sharing programs allow to post into a chat
- Navigate to one of the decoding sites mentioned above, and paste the block of text into the provided spaces, and then press the Decode button
- This will display the information being sent through SSO.
- We are looking for a set of tags starting with <ds:KeyInfo> and specifically: <saml2:NameID
- This will give you the email that is being sent through SSO
- This email should be compared to the email that is stored on the user within Kahuna
- If the emails do not match, then the nightly User import needs to be modified, in order for the user to be able to access the system.
Here is link to an article that discusses how to perform the same actions through different browsers: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml_view-saml-response.html
If there are any questions, or you would like me to run through this process with you a few times, until you are comfortable, please let me know.