The Error
User try login via SAML SSO, fail. Log tunjuk ni:
Attribute samlNameID is not present in session
Followed by:
Cannot proceed, please check the authentication tracker mentioned above
Basically — sistem cari user identity (samlNameID) dalam session, tak jumpa, abort login.
What samlNameID Is
samlNameID = unique identifier yang IdP (Identity Provider) hantar balik lepas user authenticate. Biasanya email address atau username. Kalau attribute ni missing dari SAML response, app tak tahu siapa yang login.
Common Causes
- IdP tak hantar NameID — SAML assertion missing NameID element. Check IdP config, make sure NameID format configured correctly
- Attribute mapping salah — IdP hantar tapi dengan nama lain. App expect “samlNameID” tapi IdP hantar as different attribute name
- Session expired mid-flow — user ambil masa lama kat IdP login page, session kat SP dah expire by the time response balik
- Clock skew — server time antara IdP dan SP tak sync, SAML assertion dianggap expired
How To Debug
- Check SAML response — guna browser extension (SAML Tracer) untuk capture actual SAML response. Tengok ada NameID element tak
- Check IdP logs — confirm authentication berjaya kat IdP side
- Check attribute mapping — dalam SP config, verify attribute name match exactly
- Check timestamps — compare NotBefore/NotOnOrAfter dalam assertion dengan server time
The Stack Trace
Log akan show full call chain through filters:
SAMLWrapperImpl → AuthenticationFilter → SecurityFilter → ...
Ni normal — just shows the request path through the filter chain before it hit the error. Yang penting cuma error message kat atas tu.
Fix
Depends on root cause:
- IdP config issue → fix NameID mapping kat IdP
- Session timeout → increase session timeout atau reduce IdP login time
- Clock skew → sync NTP on both servers
Most common fix: check IdP attribute mapping. 90% of the time, NameID tak dihantar atau dihantar dengan wrong attribute name.