Cloud Streaming - Single Sign-On (SSO) Troubleshooting

This document servers to provide general troubleshooting information for SSO authentication issues you may experience after completing your SSO configuration.

You do not have access to the page you requested

Issue: Login results in a "You do not have access to the page you requested." message.

Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page. 

For Instructions to map an Admin or Instructor role you can refer to the following:

• For SAML: Starting around 2.5 in the document linked here: 
  • Configuring Swank Cloud Streaming SAML Authentication
• For OAuth: Starting around 10.5 in the document linked here: 
  • Cloud Streaming - Google Gsuite Oauth SSO Integration – Swank Motion Pictures, Inc. 

Do not embed single sign on authentication pages in frames

When a single sign on (SSO) authentication page is embedded in another web browser frame, you may encounter authentication errors that can be frustrating for your users.  For example, some learning management systems, such as Schoology may do this by default.  This can result in an authentication error, even when the user enters their credentials correctly.  

When you embed an SSO authentication page in a web browser frame, you may encounter Cross-Origin Resource Sharing (CORS) issues. SSO pages often reside on a different domain than the website where they are embedded, which can lead to security restrictions that prevent the web page from making requests to the SSO server. This can result in authentication errors, and the user may not be able to log in.

Avoid embedding the SSO authentication page directly in an iframe. Instead, redirect the user to the SSO page, ensuring it is displayed in a separate browser tab or window to mitigate the chances of errors.

SSO relies on cookies and sessions to maintain user authentication. When you embed the SSO authentication page in a web browser frame, the browser's same-origin policy can interfere with cookie and session handling. This can lead to authentication errors or being unable to log in.  Consider implementing a full-page redirect to the SSO page to ensure that cookies and sessions are properly maintained without same-origin policy restrictions.

OAuth Troubleshooting

The link below contains OAuth specific troubleshooting documentation:

• Cloud Streaming - Google OAuth Troubleshooting – Swank Motion Pictures, Inc.

SAML Troubleshooting

SAML Identity Provider Troubleshooting guides

Please note, the links below contain SAML troubleshooting steps for these specific identity providers.

• Azure SAML V2 Troubleshooting
• ClassLink SAML V2 Troubleshooting
• Google SAML V2 Troubleshooting

SAML Certificate Errors:

• Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. The article below will guide you through the process of correcting this:
  • SAML Certificate Expiration – Swank Motion Pictures, Inc.

SAML Tracer

You might want to utilize a browser plugin called SAML-tracer in order to determine where the sign-in process is breaking down.

For Chrome and other Chrome based browsers 

1. On your computer, open Chrome.
2. At the top right, select Extensions 
3. Search for SAML-tracer and add it to your browser
   • Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
     • Select Extensions from your browser
     • Select the three dots (More)
     • Mouseover "This can read and change site data." 
       • 

• • • Decide which permission to give the extension:
      • When you select the extension: This setting only allows the extension to access the current site in the open tab or window when you select the extension. If you close the tab or window, you’ll have to select the extension to turn it on again.
      • On [current site]: Allow the extension to automatically read and change data on the current site.
      • On all sites: Allow the extension to automatically read and change data on all sites.

 Safari

Safari doesn't have a SAML tracer extension, but you can use Safari's developer tools to capture a SAML trace:

1. Open Safari and select Settings
2. Click Advanced
3. Check the box next to Show Developer menu in menu bar
4. Click Develop and then Show Web Inspector
5. Select the Network tab
6. Click the circle with three lines icon and select Preserve Log
7. Go to the Admin Portal and select Single sign-on
8. Enter your email address and click Submit
9. Click the row, then select Headers
10. Scroll down to Request Data, then copy and paste the information into a text file