Home  ›  If Sso Fails Do They Try Again

If Sso Fails Do They Try Again

Written By Monday 16 May 2022 Add Comment Edit

Single-Sign On FAQ

This article offers SSO troubleshooting help

** Configuring a new SSO in Centercode using SAML 2.0 will crave a level of technical expertise. We strongly encourage you to maintain contact with the correct Information technology team in your system ; typically the same team yous'd get for help with your company user business relationship. Centercode Back up will as well be bachelor for supplementary configuration aid.

All Single Sign-On configuration fields must lucifer exactly as they do from your Identity Provider (Azure, Okta, your company's organization, etc). If any fields do not correctly friction match the settings of your Identity Provider (often referred to as IDP), you'll receive an error when attempting to login. The following are mutual possibilities as to why your SSO setup may neglect and are more often than not already covered in the existing documentation (SAML and OAuth):

  1. (Both SAML & OAuth) Attributes mismatch
  2. (Both SAML & OAuth) User's electronic mail or username has a disharmonize
  3. (SAML) Invalid ACS Signing Document Public Key
  4. (OAuth) Identity Provider Login URL is missing parameters
  5. (OAuth) Invalid Token API Post Torso
  6. (SAML) Metadata not updated later SSO settings were changed
    1. Later on whatsoever change to your Centercode SSO configuration, you must click the Metadata button on the User Authentication management page(mentioned below)

1. (Both SAML & OAuth) Attributes Mismatch

"The login organisation failed to provide the following required information:

  • Username
  • Email Accost
  • First Name
  • Last Proper noun

Delight provide this information and endeavor your login again"

If your Attributes are mismatching betwixt Centercode and your IDP, yous'll see this error message when attempting to sign in through your IDP.

It's recommended that y'all reference your IDP settings and identify the correct Attributes. Here are some examples of possible Attributes to be used, simply please refer to your IDP the exact Attributes:

  • UserName
  • Username
  • Email
  • Email Address
  • EmailAddress
  • emailaddress
  • FirstName
  • firstname
  • LastName
  • lastname

If you're using Azure AD, you may need to use "Claim names" rather than their "value"

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

After any changes y'all've made to your SSO configuration, you must update your metadata inside your Centercode Implementation:

  1. Navigate into the User Authentication Management folio
  2. Hover over the desired SSO configuration
  3. Click the Metadata icon

2. (Both SAML & OAuth) User's email or username has a disharmonize

"This community only allows i account per <username or e-mail address>. You will need to log in using the account that has already been associated with this community."

If username or email is provided past your IDP and the provided username or e-mail conflicts with an existing user account, the users may encounter this error when logging in.

Enabling the "User can upgrade from this field" checkbox allows a username or email that already exists in your Centercode implementation to too be associated with an IdP account. When enabled for e-mail accost, users who login volition have their any pre-existing Centercode account match the email accost of a new account coming from your IdP. This results in the Centercode business relationship upgrading to an SSO account. When disabled, the incoming account will exist rejected due to conflict.

If "User can upgrade from this field" is non enabled, yous or the user must change their Username from your IdP. When logging in a new business relationship volition be created with a different username, which requires your Centercode Community ambassador to merge the accounts together.

After any changes you've made to your SSO configuration, you must update your metadata within your Centercode Implementation:

  1. Navigate into the User Hallmark Direction page
  2. Hover over the desired SSO configuration
  3. Click the Metadata icon

3. (SAML) Invalid ACS Signing Document Public Fundamental

This message may indicate that your ACS Signing Document Public Fundamental is invalid. Y'all'll want to check your IDP for the key being used and update your ACS Signing Certificate Public Key field within your Centercode implementation.

A common issue is having invalid spaces or linebreaks throughout your ACS Signing Certificate Public Key. The cardinal must be i solid string of characters.

After any changes y'all've made to your SSO configuration, yous must update your metadata inside your Centercode Implementation:

  1. Navigate into the User Authentication Management page
  2. Hover over the desired SSO configuration
  3. Click the Metadata icon

four. (OAuth) Parameters missing in the Identity Provider Login URL

Equally described in the OAuth documentation, a mutual configuration upshot is missing parameters in the Identity Provider Login URL (state, lawmaking, etc.)

5. (OAuth) Invalid Token API Post Trunk

A common Token API Mail service Body to utilize is the case provided in the OAuth documentation.

client_id=%ClientId%&client_secret=%ClientSecret%redirect_uri=%RedirectUrl%&code=%Code%&grant_type=authorization_code

Note that any missing characters, such every bit a percentage symbol or ampersand will result in this mistake message:

"Your login attempt was non successful. We were unable to contact the login system at this time. Please effort again afterward."

Where do I get an ACS Signing Certificate Public Primal?

Your company's IT department will exist able to provide this.

Where can I detect the metadata for my Centercode implementation?

Once that your Single Sign-On configuration has been created, you may access the metadata and present it to your IT contact. To assemble the metadata information:

  1. Navigate into the User Hallmark Management page
  2. Hover over the desired SSO configuration
  3. Click the Metadata icon
  4. Copy the entirety of the text on this page and send it to your It contact.
    1. They'll use the information contained within the metadata to configure the Identity Provider side of the SSO configuration.

I don't know my Attributes and my ACS Signing Certificate Public Key, what practise I exercise?

If you're unable to ostend your ACS Signing Certificate Public Fundamental used past your Identity Provider or that you have confirmed all of your settings seem correct, apply Chrome plugins to identify what your Identity Provider is sending to Centercode upon logging into your SAML configuration. This tin can be done only if your IDP Gateway and IDP Issuer fields are right.

We recommend these Chrome plugins:

  • SAML Tracer
  • SAML Chrome Panel

Open the plugin and log into your identity provider that's connected to your SAML configuration. The plugin will brandish the ACS Signing Certificate Public Primal and Attributes that your identity provider is attempting to transport. You may as well want to ensure that your Identity Provider is using the right Centercode URL (shown below).

How do I test my SSO configuration?

Once your SSO configuration is submitted, information technology is technically live and can be used for testing and production. The "Finalizing your SSO" footstep 4 of the SSO documentation is to brand your SSO configuration visible on your login page.

When testing your SSO configuration  y'all tin can use the appropriate links to exam your SSO setup. The text within brackets must be replaced appropriately.

    • https://<your site>/login/saml/2/metadata.aspx/metadata.xml?p=<your setup's proper name>
    • https://<your site>/login/oauth/2/authorize?p=<your setup's name>

How do I have both an SSO login and local login?

This is adequately common for organizations with an internal business relationship arrangement for employees, but don't accept the aforementioned arrangement available for their testers. In this scenario, you can enforce employee logins through SSO and go out the standard local login functionality for your non-employee accounts.

Which Attributes should I enable "upgrade" for?

Consider what needs to be updated past your users.

How do I set my SSO live?

This is covered in the documentation in section iv, titled "Finalizing Your SSO".

  • SAML 2.0
  • OAuth 2.0

Once the metadata is configured, the next step is to enable the SSO method for testing. The best way to do this is to enable the SSO without hiding your local login functions:

  1. Navigate into the User​ ​Authentication​ ​Management​ folio
  2. Click the Centercode​ authentication method
  3. Under the Alternating Login section, select Local​ ​and​ ​Remote​ ​Logins​ from the dropdown list
  4. Click Submit​ ​to add together an SSO link to your site's Login page
  5. Log out of Centercode and click your new SSO Login link on the summit-right of your login page

What if I need to make adjustments to my live SSO configuration?

  1. Log into your Centercode implementation
  2. Inside your Identity Provider's settings, update your Identity Provider'due south values
  3. Inside your Centercode implementation, make your desired changes to your SSO configuration
  4. Within your Centercode implementation, navigate to your User Authentication tool
  5. Hover over your saved SSO configuration and click Metadata
    • This refreshes your metadata, syncing the settings of the ii systems
  6. In Incognito or another browser: Verify that the certificates lucifer and log in once again

Our Identity Provider may potentially have users with duplicate usernames. What will happen?

Centercode accounts cannot accept duplicate usernames. Your Identity Provider volition demand to handle duplicate usernames before they login through your SSO configuration, or they may encounter a username conflict.

If y'all're unable to brand any changes to your Identity Provider, you may set your SSO configuration to ignore the Username and non have it collected initially by Centercode. This means your users will exist prompted to fill in a username upon account creation.

We've updated our Centercode implementation'south custom domain / have a new primary domain. Now users can't login. What should nosotros practise?

With updating your Centercode implementation to having a new primary domain with a redirect setup, your identity provider needs to update references to the one-time URL with the new one. Your identity provider likely has security that restricts service provider domains from pretending to be others

You must have your company's IT update your SSO settings to exist reference your new domain. Also include the settings to return to the right subdomain.Annotation

In other words, if your site has recently added a custom domain, (e.g. beta.centercode.com -> beta.crawly.com) your identity provider may need to update Centercode'south list to reference your new domain.

mckillopmarming.blogspot.com

Source: https://help.centercode.com/en/saml-sso-faq

0 Response to "If Sso Fails Do They Try Again"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel