SAML SSO Troubleshooting

Common Issues

Certificate Mismatch

Symptom: SAML signature validation failed

Cause: ISE doesn’t trust Keycloak’s signing certificate

Resolution:

  1. Export Keycloak signing certificate

  2. Import to ISE as trusted certificate

  3. Enable "Trust for SAML signing"

Redirect Loop

Symptom: Browser loops between ISE and Keycloak

Cause: Session not established

Resolution:

  1. Check time synchronization

  2. Verify ACS URL matches

  3. Check browser cookies enabled

Attribute Not Mapped

Symptom: User authenticated but missing roles

Cause: Attribute mapping incorrect

Resolution:

  1. Verify Keycloak sends expected attributes

  2. Check ISE attribute mapping configuration

  3. Enable SAML debug logging

Debug Logging

Enable SAML debug in ISE:

  1. Administration > System > Logging > Debug Log Configuration

  2. Set SAML components to DEBUG

  3. Reproduce issue

  4. Check logs

Related

  • SSO Troubleshooting (identity-ops)