Support Note KB0398476
Email
User attempts to login via Single Sign-On(SSO) and observes the authentication error "User does not exist"
Issue

User attempts to login via Single Sign-On and observes the below error.

Authentication error: User does not exist.

Resolution

There are two possible resolutions to this issue:

Resolution 1: Request the customer to create the user in Ariba with the correct User ID as seen in the NameID in the Simple Assertion Markup Language (SAML) Response. The User IDs in Ariba are case-sensitive. The UserID passed in the SAML Response must match exactly as it is created in Ariba.

Resolution 2: Request the customer to change their web browser certificate.

Cause

There are two possible causes:

  1. Invalid UserID is being passed in the SAML Response from customers Identity Provider (IdP) to the Ariba Procurement Solution or Ariba Sourcing Solution.
  2. A change in the web server certificate.
Additional Information

Steps to capture and retrieve logs:

  1. Turn on Auth: DEBUG, sso: DEBUG and the user: Info for all the UI Nodes. 
  2. After the user attempts to log in to Ariba via Single Sign-On(SSO). Turn off the logs on all procurement or sourcing UI nodes and retrieve the log files.
  3. On all the UI nodes logs, search (Ctrl+F) for SAMLResponse and copy out the entire SAMLResponse line from the log file (wherever it is found). Be sure to take note of the customer's community node and time of the user's login attempt, so you will know you are retrieving the right SAMLResponse.
  4. Paste the SAMLResponse as seen below on Notepad++ and search for  <NameID> Tag and see what User ID is passed in the SAML Response.

Sample SAML Response:

SAMLResponse Decoded: <samlp:Response ID="_de75d4af-0dc8-4592-83da-348775e1de25" Version="2.0" IssueInstant="2018-07-03T15:18:14.770Z" Destination="https://s1-eu.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?realm=xxxxxx" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_1530631094466-651867957400586253.10.178.240.65" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.xxxxx.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_819d91be-26b6-45cb-8df3-f94f7711d0bb" IssueInstant="2018-07-03T15:18:14.770Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://sts.xxxx.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_819d91be-26b6-45cb-8df3-f94f7711d0bb">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>YUwh6TGzu0gXK7hXirYEhQbI18I=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ckKo6+Ohy1gA+Wv9MkaFnvFhADuxci3Eh2bRoEN/qHigcm+fR6zUR0Jt0V6avtwG/Byb01Qw0OheUmHOq/Z3A11Kvxqmex2hJknEFUaVny1Jbcg4nNyavJhKP7FTkoV8Ihd9Xw38EkIrnYIWPyn/fJbKH6b6QQEgB27XP0W28LWq/O7ithDy/c37OyIzf0EJIkqFNifvm5BiUxEjOEXup9X5SKVQ2qFiOZ/mSW+zqNTqKMCpPe4idDqAIHdTeCaK6CUQuJjaklRrgejYdjnP4JhAbn4SxDlDgiD+15VrDv1EkX/YtiWQ93ZLAFriPnj9L5fexQr54WmduJ0AdZp26Q==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC1jCCAb6gAwIBAgIQNZx75I0XX6JI0dQoPHR7oTANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBzdHMuc2FwcGkuY29tMB4XDTEzMDcwNDEzMTk1M1oXDTQwMTExOTEzMTk1M1owJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gc3RzLnNhcHBpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWrHXqE24667NUG8kKz58tNXM4e43kQLcUTMfM0y/gJpbN7kCCZcpOWGZVTidv+gU6kHRK+6U0y2ZnqpTBYf4cxCP3RimQH77Cvye7fVqfwogB2TAHFL1YSda2AZmY1+mIv63aFzRHAZjZ0Ke9lyLzKFb/AcwYK5qeUSMBR5g71K78RR4r6BysUvPBWT08nwmNL7gdqEgY91o0jcip0DXsPDnIOqkcoZeWFTEN1uROhoifFiVj0LImJbwTWOrbZx22FqOhdxDK9fFQ/VYayANAZOA6A8Wz/m6zStm2htJjqfpx3X9OLLTjpZx0JsB6M8kAbf3D6TghipwbRbIx/r80CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAOfEzMtjZTxUe3dxGlTK70wM2jNoKtzCNc6QivkjG/8uh7TeSRfiwRcLYSbC/ydV+ffS2REDR4cQkYx0W5UG440SOSTJ7wCZaKgwzLTCnx8fl9sVlCaHVG94KzMhmJSdHnOOwjXd1Ks6I+JfUzlUKRcUN4pJSYqXdP3cjIXdiYw1XSLmWB0cmhHe/MXAaiRyrQBKPOwo+BPnNRqY7YHgMZWAnJGlUQ1Okjzv0TuGeXkUM4AS3BIL7NxI7GNJTUcdSk+mVYFGwTx34l9g6BtzwbStL8V4C/T0+kjIZzd/JLRoGwwEK2gDPSVuHN3d6mwIMlnP1mV6h96lNrSDcBeu2ZQ==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>JohnDoe</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_1530631094466-651867957400586253.10.178.240.65" NotOnOrAfter="2018-07-03T15:23:14.770Z" Recipient="https://s1-eu.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?realm=xxxx" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-07-03T15:18:14.770Z" NotOnOrAfter="2018-07-03T16:18:14.770Z">
<AudienceRestriction>
<Audience>http://xxxxx.procurement-eu.ariba.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2018-07-03T15:18:14.754Z" SessionIndex="_819d91be-26b6-45cb-8df3-f94f7711d0bb">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>


Applies To

Purchasing
Strategic Sourcing

Terms of Use  |  Copyright  |  Security Disclosure  |  Privacy