Skip to main content
Version: Next

Administration Troubleshooting

This page collects common administration issues and diagnostics for Cortex Archive features that have video walkthroughs elsewhere in the documentation.

SAML with ADFS

SAML with ADFS troubleshooting

Applies to: Administration -> Authentication -> SAML with ADFS
Related guide: SAML Authentication with ADFS

Symptoms and fixes

1) Login fails immediately, or ADFS returns a relying party / identifier error

Most common cause: The Relying Party Trust identifier does not exactly match Cortex Archive's PublicUri.

What to check

  • Your Cortex Archive Authentication:Saml:PublicUri
  • Your ADFS Relying Party Trust Identifier (Entity ID)

Fix

  • In ADFS -> Relying Party Trusts -> (your trust) -> Properties
    • Ensure the Identifier is exactly the same as the PublicUri
    • Match:
      • https vs http (should be https)
      • Hostname
      • Port (if present)
      • No trailing slash differences

2) ADFS authenticates successfully, but Cortex Archive does not log the user in

Most common cause: ADFS is not sending the correct user identifier claim (or Cortex Archive is looking for a different claim).

What to check

  • In ADFS, the claim rule should map:
    • Active Directory attribute: SAM-Account-Name
    • Outgoing claim type: Name ID

Fix

  • ADFS -> Relying Party Trusts -> (your trust) -> Edit Claim Issuance Policy
    • Add Rule -> Send LDAP Attributes as Claims
    • Attribute store: Active Directory
    • LDAP Attribute: SAM-Account-Name
    • Outgoing claim type: Name ID

Notes

  • SAM-Account-Name is effectively the Windows username.
  • The outgoing claim type must be Name ID (not Email, UPN, etc.) unless you have intentionally configured Cortex Archive to look up by email (see below).

3) You do not see �Active Directory� in the Attribute Store dropdown

Cause: ADFS services / AD integration isn�t available in the current context, or the trust creation flow didn�t fully initialize the rule editor.

Fix

  • Close and re-open the rule editor and try again.
  • Confirm ADFS is properly joined/configured with Active Directory.
  • If you have an existing relying party trust where the dropdown works, compare the server role/services and configuration against the environment you�re currently editing.

4) ADFS does not know where to send the SAML response (assertion)

Most common cause: The Assertion Consumer Service (ACS) endpoint was not added (or is incorrect).

Fix

  • ADFS -> Relying Party Trusts -> (your trust) -> Properties -> Endpoints
    • Add SAML Assertion Consumer endpoint
    • Binding: POST
    • URL: {PublicUri}/saml-post
    • Set it as Default

Example If PublicUri is https://archive.company.com, the endpoint should be: https://archive.company.com/saml-post

5) Certificate validation errors (common with self-signed certificates)

Symptoms

  • Cortex Archive fails to start authentication flow
  • Logs mention certificate chain, validation, or revocation issues

Cause

  • Self-signed or internal CA certificates often fail strict validation or revocation checks in environments where the chain is not trusted.

Fix options

  1. Preferred: Use a certificate chain trusted by the Cortex Archive host.
  2. For dev/test environments only: relax validation settings.

Common settings used in non-production scenarios:

  • Authentication:Saml:CertificateValidationMode
  • Authentication:Saml:RevocationMode

If you relax these settings for testing, restore strict validation before moving to production.

6) �Logout� appears to do nothing (user immediately logs back in)

Cause

  • Logging out of Cortex Archive does not necessarily log the user out of ADFS.
  • If the user still has an active IdP session, ADFS will instantly re-authenticate them and redirect back.

Fix

  • Set:
    • Authentication:Saml:ForceAuthn = true

This forces ADFS to prompt for credentials again during authentication after logout, instead of silently reusing the existing IdP session.

7) �The certificate file� confusion (PFX vs public cert)

Quick rule

  • Cortex Archive server: needs the PFX (certificate + private key)
  • ADFS server: should receive certificate only (no private key)

Fix

  • Export two copies:
    1. PFX (with private key) -> used by Cortex Archive (CertificateFile + password)
    2. CER/CRT (public only) -> imported into ADFS during relying party trust setup

What to collect before opening a support ticket

If SAML still fails after the above:

  • The PublicUri you configured
  • Your ADFS relying party identifier and endpoint URL
  • Your claim rule mapping (screenshot or text)
  • The relevant Cortex Archive log lines during login attempt
Internal Auth - Redirected Back to Login Page

Symptoms

When attempting to sign in using Internal authentication, the user is successfully redirected after login but immediately returned to the Log In page.

Likely Cause

This behavior is commonly caused by a corrupted, expired, or blocked authentication cookie in the browser.

How to Check

  1. Open the site in a Private / Incognito browser window.
  2. Attempt to log in again using Internal authentication.
  3. If login succeeds in private mode, the issue is almost certainly cookie-related.

Resolution

  1. Clear cookies for the affected site:
  2. Close all browser windows.
  3. Reopen the browser and attempt login again.

If the issue persists after clearing cookies and verifying in private mode, contact Support for further investigation.