Curator 101: Troubleshooting SAML Responses

Matthew Orr
Curator Engineer
November 23, 2022

When talking about SAML single sign-on (SSO) and Curator, there are several moving parts that all need to be working in order to have a seamless flow. These moving parts include your SAML identity provider (IdP), Curator and usually one or more of your analytics platforms (Tableau, ThoughtSpot, etc.). When setting up Curator to work with SAML, it can sometimes be tricky to identify which of these moving parts is the cause of an issue and which one needs to be fixed. You can go through the effort to ask each of them, but don’t be surprised if they all act innocent and point fingers and the others to pass the blame.

Typically, setting up Curator is as easy as importing your metadata from your SAML IdP (Okta, OneLogin, Ping, Azure Active Directory, etc.), so this blog post will focus on troubleshooting the information the IdP is sending to Curator during the login flow. Issues are frequently caused by the IdP sending the usernames in a non-standard field, or by the IdP sending the usernames in a format that differs from what Curator expects. Being able to see this communication between your IdP and Curator can highlight those differences. The good news is that you won’t run afoul of wiretapping laws if you follow the guide below.

Browser Plugins

The first step to being able to view the SAML responses is to install a browser plugin that captures that specific communication between the IdP and Curator. Two of the most popular browser plugins are provided here.

Google Chrome

SAML Chrome Panel plugin. This adds a “SAML” tab to your browser’s developer tools.

Mozilla Firefox

SAML-tracer plugin. This adds an icon to your toolbar to start it tracking SAML communication.

Curator’s SAML Debug Mode

If you can’t install a browser plugin, you can use Curator’s SAML debug mode as an alternative.  To turn this on, go to Backend >Settings >Security >Authentication Settings >SAML Advanced section. Instead of being able to see the responses immediately in your browser, you’ll need to check Curator’s event log (Backend >Settings >Logs >Event Log).

Capturing the SAML Communication

  • Once you have an appropriate browser plugin installed or debug mode enabled, open the plugin so that it’s visible.
  • Visit Curator and go through the flow to (attempt to) log in.
  • Once you reach an error or other issue you’re troubleshooting, view the responses to check that the username format is what Curator expects and the field name matches what Curator is looking at.

The SAML response will be in XML format, which might be daunting at first, but you can ignore the bulk of the code and just look for your username somewhere in the middle of all of that.

By default, Curator will look for “username” and “NameID.” If you need to use something else, configure it in your Curator SAML settings in the Custom User Identifier Field setting.

If there’s a username format mismatch, you should be able to send a different format from your IdP to match Curator. Alternatively, you can use Curator’s username mapping functionality to bridge the gap, like a helpful translator when urgently asking for the restroom in a country where you don’t know the language and serves lots of extremely spicy food that is abruptly in a rush to part ways with your GI tract … or some other more pleasant analogy.

To learn more about Curator’s username mapping functionality, check out this link: