To help you resolve common errors encountered during SSO integration, we've compiled a set of guidelines and solutions. This guide addresses typical issues that might arise with your Identity Provider (IdP) settings and during the SSO callback process.

Errors on your IdP

• App Not Found or similar error

  This error usually indicates that the entity ID, certificate, or protocol settings are misconfigured. To resolve this issue, perform the following steps:
  1. Verify that the entity ID provided by Ocrolus is correctly configured in your IdP settings.
  2. Ensure that protocol settings are correctly configured.
  3. If Sign request is enabled, verify that the correct certificate is uploaded.

Errors during callback

• IdP initiated login is not enabled

  Ocrolus currently only supports Service Provider (SP) initiated SAML workflows. This error occurs if you attempt to use an IdP initiated login flow.
  To resolve this issue, ensure your IdP is configured for SP-initiated workflows and users log in directly via the Ocrolus dashboard (app.ocrolus.com), rather than redirecting users from your IdP.

• Access denied

  This error may indicate a problem with the custom attribute configuration for the email address. To resolve this issue, perform the following steps:
  1. Ensure the email attribute is configured on your IdP, as it is usually not set by default.
  2. Make sure the email attribute name matches what’s defined in Ocrolus.
  3. Check the SAML response to ensure it contains the email attribute in the correct format. A sample SAML response attribute for email might look like this:
     
     
     SAML response

     <saml:AttributeStatement>
         <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
             <saml:AttributeValue>[email protected]</saml:AttributeValue>
         </saml:Attribute>
     </saml:AttributeStatement>