SAML authentication failed attempts Description This alert does not specifically identify the reason for the failed SAML attempts. However, it detected that your instance have 10+ failed SAML login attempts and no success SAML attempts on the last 15 minutes Cause: Several possible causes for the alert. If the certificate has changed, it could take a few minutes while it get refreshed. The IDP server was returning errors during the specified timeMultiple possible configurations on your SAML setup. Resolution: To find the root cause please review the instance System logs, on Level Error, that contains SAML at the time of the error: You can check with the following link: <instance>/syslog_list.do?sysparm_query=sys_created_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()%5EmessageLIKESAML%5Elevel%3D2&sysparm_first_row=1&sysparm_view=&sysparm_filter_only=true(please set the search at the time of the error) If you want the certificates to be updated automatically, please follow KB0679991 - How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" from occurring For other errors, please review KB0657104 - Errors for which to validate your Multiple-Provider single sign-on configuration To see which certificate has triggered the alert, go to: 1.Multi SSO ->Providers->find the IdP by using the sys id from the alert (filter sys id = "idp_id_from_the_alert_description") 2. Click on the IdP and scroll down. 3.Find the “active” certificates and most likely it's the one that is either expired or is about to expire To delete the expired certificates that could be causing side effect problem (please note this will be required every-time the certificates expires), go to the X.5-9 Certificates table and set those certificates active = false. You can check with the following link: <instance>/sys_certificate_list.do?sysparm_query=active%3Dtrue%5Eexpires>javascript:gs.endOfYesterday()&sysparm_first_row=1&sysparm_view=&sysparm_filter_only=true(you need to be a System Administrator) If the certificate is expired, find the new one in the logs: <instance>/syslog_list.do?sysparm_query=sys_created_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()%5EmessageLIKESAML%5Elevel%3D2&sysparm_first_row=1&sysparm_view=&sysparm_filter_only=true(please set the search at the time of the error) Copy the new certificate from the logs and paste instead of the old one. If our internal monitoring has detected 5+ successful user login attempts and no failures from your instance I will move the alert to clear.