SAML 2.0 SSO: Troubleshooting and support (Old SSO integration)

Learn more about troubleshooting problems with your SAML 2.0 SSO integration.

Important: A new SSO integration workflow is available via Product Settings > SSO. The information here applies to the old workflow via the App Center, which is only available to customers who have already used it to implement SSO. For information about the new workflow, see Quick start: SSO setup.

Issue: Someone can't access the application through SSO

If a user cannot access Community through SSO, please ensure the following are configured correctly:

  • The SAML 2.0 Connector on your Identity Provider must use the proper values, as provided by the Community SAML 2.0 app (SSO URL, Assertion Consumer Service URL and Required Attributes).
  • The Community SAML 2.0 app must use the proper SSO URL, as provided by your SAML 2.0 Connector.
  • The user must be granted access to the SAML 2.0 Connector on your Identity Provider.
  • The user's email address in Community must match the email provided by your Identity Provider.

Issue: I cannot install the SSO from the App Center

This is rare, but it can happen. The most common reasons are:

  • Your metadata file is not publicly accessible.
  • Your metadata is missing a required attribute.

Alida can support you by hosting your metadata file publicly, or we can attempt the install while looking at system logs to better understand the failure. In either case, we will need your metadata file/URL.

Issue : The install went fine, but my test failed

This can happen for a number of reasons. If it does, please verify that:

  • Your test user has been added to your identity provider and the Alida platform as an SSO user.
  • Your user has a first and last name and an email address in the claims. The email address must match the email of the user you set up on the Alida platform.
  • Your identity provider (IDP) EntityID need to be unique to your Alida platform install if you have multiple installs and want SSO workflows on more than one.
  • Your IDP must support a second service provider (SP) initiated callback. All typical login providers like Okta, Ping, OneLogin and Azure support this workflow.
  • Your <audience> parameter needs to reflect the login provider you installed. One of:
    • https://login.visioncritical.com/login/idp/saml2/onelogin
    • https://login.visioncritical.com/login/idp/saml2/okta
    • https://login.visioncritical.com/login/idp/saml2/azuread

Alida can support you by reviewing the SAML interaction. To do this, we will either need a SAML trace from a profiling tool, or we will need a HAR file that lets us see the network activity of your test.