SSO integration troubleshooting
To help you resolve common errors encountered during SSO integration, we've compiled a set of guidelines and solutions. This guide addresses typical issues that might arise with your Identity Provider (IdP) settings and during the SSO callback process.
Errors on your IdP
-
This error usually indicates that the entity ID, certificate, or protocol settings are misconfigured. To resolve this issue, perform the following steps:App Not Found or similar error- Verify that the entity ID provided by Ocrolus is correctly configured in your IdP settings.
- Ensure that protocol settings are correctly configured.
- If Sign request is enabled, verify that the correct certificate is uploaded.
Errors during callback
-
Ocrolus currently only supports Service Provider (SP) initiated SAML workflows. This error occurs if you attempt to use an IdP initiated login flow.IdP initiated login is not enabled
To resolve this issue, ensure your IdP is configured for SP-initiated workflows and users log in directly via the Ocrolus dashboard (app.ocrolus.com), rather than redirecting users from your IdP. -
This error may indicate a problem with the custom attribute configuration for the email address. To resolve this issue, perform the following steps:Access denied- Ensure the email attribute is configured on your IdP, as it is usually not set by default.
- Make sure the email attribute name matches what’s defined in Ocrolus.
- Check the SAML response to ensure it contains the email attribute in the correct format. A sample SAML response attribute for email might look like this:
<saml:AttributeStatement> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <saml:AttributeValue>[email protected]</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Updated 5 months ago