Form authentication issues
If you enabled DigiD, eHerkenning or eIDAS for your form and it doesn’t work, we show some common problems and how to resolve them.
The login screen is not shown at all
After clicking on the form authentication login button, the login process does not start. This can be caused for a number of reasons. Please check the logs for a more detailed error message and see below.
Error
ImproperlyConfigured: The file: XXX could not be found. Please specify an existing metadata in the conf['metadata_file'] setting.
Solution
The metadata file was not correctly deployed when installing Open Forms. Please configure and deploy Open Forms properly.
Error
OneLogin_Saml2_Error: Invalid dict settings: idp_sso_not_found
Solution
Make sure the metadata IDPSSODescriptor
element contains at least the
following child elements. The exact Location
URLs can differ:
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="[...]/saml/idp/resolve_artifact" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[...]/saml/idp/request_logout"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[...]/idp/request_authentication"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[...]/saml/idp/request_authentication"/>
Error
OneLogin_Saml2_Error: Invalid dict settings: idp_not_found
Solution
Make sure the Identity provider service entity ID
is correctly configured.
It needs to match the URL found in the XML file uploaded under the
Metadata identity provider
in the
<EntityDescriptor ... entityID="<URL>">
-attribute.
For Logius, this is typically set to https://was.digid.nl/saml/idp/metadata
in production and to https://was-preprod1.digid.nl/saml/idp/metadata
in
pre-production. But, be aware that these values might change over time.
The DigiD login succeeds but Open Forms shows that login failed
After clicking the form authentication login button, the login process starts but after completing it, Open Forms shows an error message. Please check the logs for a more detailed error message and see below.
Error
The ArtifactResponse could not be validated due to the following error:
The status code of the ArtifactResponse was not Success, was RequestDenied
Solution
The DigiD broker probably returns an invalid response. This can be caused by many things and should debugged with the DigiD broker and the Open Forms supplier.
Error
The sha1 hash of the entityId returned in the SAML Artifact (...) does not
match the sha1 hash of the configured entityId
(https://example.com/saml/metadata)
Solution
The configured metadata does not match the entityID configured. The Open Forms provider should configure the proper metadata file or the DigiD broker should provide the proper metadata.
The Response could not be validated due to the following error:
https://example.com is not a valid audience for this Response
Solution
The DigiD broker should make sure the configured audience matches the exact URL
as shown in the error. Make sure there is no trailing slash (/
) or
http
instead of https
.
Error
The Response could not be validated due to the following error:
The Assertion of the Response is not signed and the SP require it
The Response could not be validated due to the following error:
No Signature found. SAML Response rejected
Solution
The DigiD broker should either sign the assertion in the XML or the entire
response. The Open Forms supplier should set DIGID_WANT_ASSERTIONS_SIGNED
to
either True
if the assertion is signed and to False
if the response is
signed.
Error
The Response could not be validated due to the following error:
The status code of the Response was not Success, was Responder ->
urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext
Solution
You most likely tried to login with the option to test a level of assurance that is too low for the form. Remember that if you didn’t set a LoA in the form, the default is “middle”. Select the proper level in either DigiD login screen (only available with DigiD pre-production) or change the level in the form.