Error: Unable to process the SAML assertion

Issue

After successfully signing in with your organization email and password, you may receive an error message “Unable to process the SAML assertion” when returning to the Autodesk product you were trying to sign in to. (This might also happen when testing the connection during SSO setup.)

Note:

To resolve this issue, you must be a SSO or primary admin. If you receive this error while signing in, share this troubleshooting article with your admin.

Possible causes

The SAML assertion attributes are not mapped correctly in your identity provider
The signing option and signing algorithm information is incorrect in the signing certificate in your identity provider
The incorrect identity provider certificate was uploaded or copied to Autodesk. This can happen while setting up SSO or while renewing the identity provider certificate
The local system clock is out of sync with the server time causing the SAML assertion request to be rejected. This is a rare case scenario.

Solution

Make sure the SAML assertion attributes are mapped correctly in your identity provider. Map the attributes with the Autodesk attribute names as listed in the following table.

Note:

These labels are strictly case-sensitive and if mapped differently, contain invalid characters, or are left empty, SSO authentication will not work. Also, make sure that no spaces are added in the firstName or lastName attributes and that you have entered the correct syntax of the Autodesk attribute names listed in the table.

Autodesk Attribute Names	Identity provider attribute names (Different identity providers might have different labels)
firstName	First Name
lastName	Last Name
email	Email Address
objectGUID	Unique ID of the user in your identity provider (e.g., ObjectGUID/User ID)

Note:

ObjectGUID is an Attribute-Name which represents a Universally Unique Identifier. For ADFS, in addition to the above attributes, you must have a value for the "Name ID" field.

Check that the signing option and signing algorithm are correct in your identity provider’s signing certificate. This is called either the SAML signing certificate or SSO certificate, depending on your identity provider. We recommend the following steps:

Signing option: the SAML response signature might be in the wrong position inside the XML data. Make sure your signing option position is in ‘Assertion’ tag only.
Signing algorithm: Use the SHA2-Family of algorithms, such as SHA256, for signing the SAML assertion.

Check that you have uploaded the correct certificate to Autodesk. If the certificate is incorrect, download the correct certificate from your identity provider. Once the file is successfully downloaded, switch to Autodesk account. In your Single Sign On settings, go to the Manage SSO tab. In your list of connections, select Edit Connection to upload or copy the new certificate in Step 1 – Add Identity Provider and Metadata under Identity Provider Certificate.
If steps 1-3 did not solve the SAML assertion error, we recommend checking that the local system clock is in sync with the server time. There are several tools and websites that can be used to check system time. See Error: System Time and Time Skew

Note:

Once you’ve confirmed all the steps above are correct and still cannot login, don’t hesitate to contact our support team.