Introduction

SAML assertion is not present in the token means the application or token broker expected a SAML assertion or a mapped SAML-derived claim, but the token it received does not contain it. In practice this usually points to a federation flow mismatch, broken attribute mapping, or a service that is validating the wrong token type.

Symptoms

  • Login succeeds at the IdP but the application rejects the returned token
  • The broker or gateway logs mention a missing SAML assertion
  • The issue starts after IdP migration, app reconfiguration, or token exchange changes
  • One environment works while another returns the missing assertion error

Common Causes

  • The application expects a SAML-backed token but received a plain OIDC or JWT token
  • The identity broker is not mapping the SAML assertion into the downstream token or session
  • IdP attribute release or relying-party configuration changed
  • Audience, ACS URL, or token exchange configuration drifted between environments

Step-by-Step Fix

  1. 1.Confirm which token the application is validating
  2. 2.Make sure the service is inspecting the token that should carry the SAML-derived data, not an upstream access token from another hop.
  3. 3.Review broker and application logs around the failed login
  4. 4.Look for where the assertion disappears: at the IdP, at the broker, or at the final application.
bash
grep -i saml /var/log/auth.log
grep -i token /var/log/auth.log
  1. 1.Check the relying-party and attribute mapping configuration
  2. 2.Validate that the IdP still sends the expected assertion and that the broker maps it into the downstream token or session.
json
{
  "attributeMapping": {
    "saml_assertion": "assertion"
  }
}
  1. 1.Verify ACS URL, audience, and token exchange settings
  2. 2.If the wrong relying-party app or callback is used, the broker may complete login without the data your service expects.
  3. 3.Retest with the exact application flow
  4. 4.Do not stop at a successful IdP login page. Confirm the final application receives the token shape it expects.

Prevention

  • Keep federation flow diagrams documented for each environment
  • Version-control SAML attribute and broker mapping configuration
  • Test full login flows after IdP, certificate, or callback URL changes
  • Validate downstream token contents, not just upstream authentication success