Form authentication issues¶

If you enabled DigiD, eHerkenning or eIDAS for your form and it doesn’t work, we show some common problems and how to resolve them.

The login screen is not shown at all¶

After clicking on the form authentication login button, the login process does not start. This can be caused for a number of reasons. Please check the logs for a more detailed error message and see below.

Error

ImproperlyConfigured: The file: XXX could not be found. Please specify an existing metadata in the conf['metadata_file'] setting.

Solution

The metadata file was not correctly deployed when installing Open Forms. Please configure and deploy Open Forms properly.

Error

OneLogin_Saml2_Error: Invalid dict settings: idp_sso_not_found

Solution

Make sure the metadata IDPSSODescriptor element contains at least the following child elements. The exact Location URLs can differ:

<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="[...]/saml/idp/resolve_artifact" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[...]/saml/idp/request_logout"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[...]/idp/request_authentication"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="[...]/saml/idp/request_authentication"/>

Error

OneLogin_Saml2_Error: Invalid dict settings: idp_not_found

Solution

Make sure the Identity provider service entity ID is correctly configured. It needs to match the URL found in the XML file uploaded under the Metadata identity provider in the <EntityDescriptor ... entityID="<URL>">-attribute.

For Logius, this is typically set to https://was.digid.nl/saml/idp/metadata in production and to https://was-preprod1.digid.nl/saml/idp/metadata in pre-production. But, be aware that these values might change over time.

The DigiD login succeeds but Open Forms shows that login failed¶

After clicking the form authentication login button, the login process starts but after completing it, Open Forms shows an error message. Please check the logs for a more detailed error message and see below.

Error

The ArtifactResponse could not be validated due to the following error:
The status code of the ArtifactResponse was not Success, was RequestDenied

Solution

The DigiD broker probably returns an invalid response. This can be caused by many things and should debugged with the DigiD broker and the Open Forms supplier.

Error

The sha1 hash of the entityId returned in the SAML Artifact (...) does not
match the sha1 hash of the configured entityId
(https://example.com/saml/metadata)

Solution

The configured metadata does not match the entityID configured. The Open Forms provider should configure the proper metadata file or the DigiD broker should provide the proper metadata.

The Response could not be validated due to the following error:
https://example.com is not a valid audience for this Response

Solution

The DigiD broker should make sure the configured audience matches the exact URL as shown in the error. Make sure there is no trailing slash (/) or http instead of https.

Error

The Response could not be validated due to the following error:
The Assertion of the Response is not signed and the SP require it

The Response could not be validated due to the following error:
No Signature found. SAML Response rejected

Solution

The DigiD broker should either sign the assertion in the XML or the entire response. The Open Forms supplier should set DIGID_WANT_ASSERTIONS_SIGNED to either True if the assertion is signed and to False if the response is signed.

Error

The Response could not be validated due to the following error:
The status code of the Response was not Success, was Responder ->
urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

Solution

You most likely tried to login with the option to test a level of assurance that is too low for the form. Remember that if you didn’t set a LoA in the form, the default is “middle”. Select the proper level in either DigiD login screen (only available with DigiD pre-production) or change the level in the form.