Use the SAML Test Login and output data

Use the SAML Test Login and output data

When you configure ScreenPal user access using SAML for a Team Plan, after you upload a valid IdP metadata file, you can test the SAML authentication using the Test Login link. This link is displayed in the Authentication area of Settings in the Current SAML Identity Provider (IdP) Metadata File section.

Displays the Authentication area of ScreenPal Settings with an arrow pointing to the Test Login link in the Current SAML Identity Provider (IdP) Metadata File section

  1. SAML is disabled for your Team Plan
  2. Unsaved changes are present in the Authentication area. (In this case, the text "Please save changes to test logging in" is displayed instead.)
  3. Your SAML Identity Provider (IdP) certificate has expired.
  4. Your Entity ID is still in the temporary TEST verification state. (This occurs when newly uploaded metadata has not yet been confirmed.)

  1. All prior SimpleSAML session cookies are cleared so old sessions do not interfere with the test.
  2. A fresh SAML AuthnRequest is sent to the IdP you configured.
  3. The user authenticates at the IdP (this can be Okta, Microsoft Entra ID, Google, and so forth).
  4. The IdP posts a SAMLResponse back to ScreenPal.
  5. ScreenPal parses the assertion and renders the results page, which is explained in more detail below.
  6. Approximately 25 seconds after the results render, the test session cookies are deleted. The test session does not sign the tester into ScreenPal.

What is shown in the output data

When you click the Test Login link, the following output data, or results page, opens in a new browser tab.
Received SAML login response from: <IdP Entity ID> - Confirms that the response came back from the IdP that is currently configured.
Result: Success! or Result: Error! - Success means that ScreenPal was able to extract a valid email address from the assertion. Error means it could not.

Profile box (on Success)

Email - The email address that ScreenPal resolved from the assertion. It is resolved in this priority order:
  1. OIDmailattribute (urn:oid:0.9.2342.19200300.100.1.3)
  2. OIDeduPersonPrincipalName (urn:oid:1.3.6.1.4.1.5923.1.1.1.6)
  3. SAMLNameID (only if it looks like an email)
  4. Microsoftemailaddressclaim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
  5. Microsoftnameclaim (only if it contains an @ symbol)
First Name - Derived from the assertion's given name attributes, or N/A if not supplied.
Last Name - Derived from the assertion's surname attributes, or N/A if not supplied.

Error case

If none of the sources above produced a valid address, the page shows:
Quote
Missing required email address in the user attributes.
This is the most common SAML setup failure. It means that the IdP is not releasing an email-type attribute to ScreenPal.

Show Full Response

Below the profile box, the Show Full Response toggle is displayed. Clicking this option displays the full raw SAML auth-data array as returned by SimpleSAMLphp. This includes the NameID, every released attribute and its OID, the IdP Entity ID, the session index, and authentication context.

Idea
Attach this information when contacting ScreenPal Support, since it shows exactly what your IdP is releasing.


What to do when the test fails before showing the results page

If the test login result is Error, ScreenPal displays the following message:
Quote
Oops! An unexpected error occurred. Please contact support for assistance and provide this ID: <UUID>

The UUID is also written to ScreenPal's server error log, along with the exception message, file/line, idpEntityId, spSourceId, the raw SAML response, and the profile attempt. Our Support team can search by the UUID you provide to find the full SAML trace.

Additionally, if you receive this error, click Show Full Response and copy the contents. When you contact ScreenPal Support, please include:
  1. A screenshot of the results page, including the full text under Show Full Response.
  2. If displayed, the error ID from the error message above to enable ScreenPal to locate the matching server-side log entry.
  3. The name of your IdP (for example, Microsoft Entra, Google, ADFS, Okta, and so forth).
  4. If possible, the SAML attributes you are configured to release for email, first name, and last name.







    • Related Articles

    • Google Workspace SAML integration

      Google Workspace SAML integration Google Workspace serving as an Identity Provider (IDP) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to our Recorder and Video Editor under your ...

    • Add SAML Login using Microsoft Entra (formerly Premium Azure)

      Adding SAML Login using Microsoft Entra (formerly Premium Azure) Once you have a Microsoft Entra account set up, as a ScreenPal Team Plan Administrator, you can choose to require login via SAML for your users. SAML login can be configured from ...

    • Set up our app with ADFS SSO (SAML) for your organization

      Set up our app with ADFS SSO (SAML) for your organization Active Directory Federation Services (ADFS) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to your Team Plan. When Team ...

    • Test your ScreenPal LTI v1.3 integration on your Canvas test server

      If you'd like to test the ScreenPal LTI v 1.3 app for Canvas before deploying it to your organization, follow the instructions below to configure this plug-in with your Canvas test subdomain. 1. Log into your Canvas test subdomain as an ...

    • Use the Recognize Text tool

      Use our Recognize Text tool to quickly convert static image text into editable, copiable, and searchable text. To access use the text recognition tool, follow the steps below. 1. Open the ScreenPal Project Manager. 2. Click Images at the top of the ...