Troubleshooting SAML SSO Setup

This article is for the IT administrator configuring SAML SSO between your identity provider (IdP) and Rehearsal. It covers attribute requirements, the most common auto-provisioning failures, and how to capture the one artifact that resolves almost all of them. For the full setup process, the complete attribute list, and supported features, see the SSO Overview.

Rehearsal does not have an attribute-mapping screen. It reads a fixed set of case-sensitive, lowercase keys from the SAML assertion your IdP sends. Most setup issues come down to the IdP sending a key with the wrong name, the wrong casing, or an empty value.

Required Attributes

Your IdP must send these attribute assertions. Keys must be lowercase, exactly as written:

emailaddress is sufficient on its own to provision a user. To populate the user's name, firstname and lastname must also be sent. The unique, never-changing identifier is delivered through the NameID subject (see below), not as a separate attribute.

The only key that is not lowercase is the subject, which must be literally NameID.

Rehearsal also supports many optional attributes (job title, department, country/region/territory, location, group membership, mentor/mentee relationships, and tags). See the SSO Overview for the complete list.

Issue: Users Provision With Email but No First or Last Name

This is the most common symptom: auto-provisioning creates the account with an email address, but the First Name and Last Name fields stay empty.

Why it happens: The email arrives in the NameID subject of the assertion, so the account is created. First and last name can only come from the firstname and lastname attribute assertions - they are never carried in NameID. If those attributes are missing, misnamed, or empty, the name is blank.

The usual causes:

• The attribute's real Name is a claim URI (for example http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname) or a friendly label, instead of the literal firstname / lastname. Rehearsal matches on the exact Name string.
• Wrong casing, such as FirstName or firstName.
• The key is sent but the value is empty because the IdP mapped it to a source field that is not populated for the test user.

Adding NameID does not fix this. NameID is a single subject value - it carries the email and cannot also carry the user's name.

Recommendation: Use a Stable NameID

NameID is the persistent identifier that links a login back to the same Rehearsal profile every time. It should be a value that never changes for the user.

Email address is a common default but a poor choice - emails change with name changes, rebrands, and corrections. When the email changes, the link to the user's existing profile and session history breaks. Use a stable Employee ID as the NameID instead.

Capturing the SAML Assertion

The fastest way to confirm what your IdP is actually sending is to capture one real SAML assertion from a test login. The raw Response XML shows the exact attribute Name values and whether each value is populated.

Option A - SAML trace (preferred):

1. Install a SAML tracer (the SAML-tracer extension for Firefox or Chrome, or use browser DevTools).
2. Start the trace and log in to Rehearsal through SSO as a test user.
3. Find the Response containing the Assertion and save the decoded XML.
4. Confirm the attribute Name values are the lowercase keys above and that each has a non-empty value.

Option B - Screenshot (if a trace is not possible):

Send a screenshot of your IdP's SSO attribute/claim configuration for the Rehearsal application. It must show the Name field for each attribute (not just the friendly name) and the source field each one maps to.

Need help? Submit a ticket to Customer Solutions for SAML SSO setup and provisioning support.