This document servers to provide general troubleshooting information for SSO authentication issues you may experience after completing your SSO configuration.
- General Testing Note
- Can't See Single Sign-On Accounts
- Generic Username
- You do not have access to the page you requested
- Do not embed single sign on authentication pages in frames
- OAuth Troubleshooting
- SAML Troubleshooting
General Testing Note
Please be aware that a token is stored in your browser for 24hrs when successfully authenticating to the site. If you are performing tests after logging in previously, you will most likely need to clear your recent browsing history, use another browser, or use a private/incognito window.
Can't See Single Sign-On Accounts
Issue: When logged in as administrator, I cannot see who has single sign on accounts.
Resolution: This is actually by design; only registered user accounts are visible from your streaming portal. SSO accounts are not visible.
Generic Username
If your streaming portal uses SAML SSO with standard urn:oid: attributes for the required fields (first name, last name, email), the correct display name will show if the user has the Instructor or Admin roles.
If the visitors are assigned the User role, their proper name will not be displayed in the upper right of the portal. Instead, a generic User123456... username will be shown:
This is by design. As we do not retain information for User-level visitors, proper names are not displayed. This information is only retained for visitors at the Instructor or Admin level.
You do not have access to the page you requested
Issue: Login results in a "You do not have access to the page you requested." message.
Resolution: Your portal is configured to authenticate users at the Basic level by default. The Basic role will only have access to direct watch links provided by an instructor. Anything accessed outside of direct links will result in the unauthorized access page.
For Instructions to map an Admin or Instructor role you can refer to the following:
- For SAML: Starting around 2.5 in the document linked here:
- For OAuth: Starting around 10.5 in the document linked here:
Do not embed single sign on authentication pages in frames
When a single sign on (SSO) authentication page is embedded in another web browser frame, you may encounter authentication errors that can be frustrating for your users. For example, some learning management systems, such as Schoology may do this by default. This can result in an authentication error, even when the user enters their credentials correctly.
When you embed an SSO authentication page in a web browser frame, you may encounter Cross-Origin Resource Sharing (CORS) issues. SSO pages often reside on a different domain than the website where they are embedded, which can lead to security restrictions that prevent the web page from making requests to the SSO server. This can result in authentication errors, and the user may not be able to log in.
Avoid embedding the SSO authentication page directly in an iframe. Instead, redirect the user to the SSO page, ensuring it is displayed in a separate browser tab or window to mitigate the chances of errors.
SSO relies on cookies and sessions to maintain user authentication. When you embed the SSO authentication page in a web browser frame, the browser's same-origin policy can interfere with cookie and session handling. This can lead to authentication errors or being unable to log in. Consider implementing a full-page redirect to the SSO page to ensure that cookies and sessions are properly maintained without same-origin policy restrictions.
OAuth Troubleshooting
The link below contains OAuth specific troubleshooting documentation:
SAML Troubleshooting
SAML Identity Provider Troubleshooting guides
Please note, the links below contain SAML troubleshooting steps for these specific identity providers.
SAML Certificate Errors:
- Issues presented during SAML authentication that are related to the SAML certificate may be an indicator that the expiration date has passed. The article below will guide you through the process of correcting this:
SAML Tracer
You might want to utilize a browser plugin called SAML-tracer in order to determine where the sign-in process is breaking down.
For Chrome and other Chrome based browsers
- On your computer, open Chrome.
- At the top right, select Extensions
-
Search for SAML-tracer and add it to your browser
-
Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
- Select Extensions from your browser
- Select the three dots (More)
-
Mouseover "This can read and change site data."
-
Note, if you have security concerns about the plugin, you can choose which permissions to give the extension:
-
-
-
Decide which permission to give the extension:
- When you select the extension: This setting only allows the extension to access the current site in the open tab or window when you select the extension. If you close the tab or window, you’ll have to select the extension to turn it on again.
- On [current site]: Allow the extension to automatically read and change data on the current site.
- On all sites: Allow the extension to automatically read and change data on all sites.
-
Decide which permission to give the extension:
-
Safari
Safari doesn't have a SAML tracer extension, but you can use Safari's developer tools to capture a SAML trace:
- Open Safari and select Settings
- Click Advanced
- Check the box next to Show Developer menu in menu bar
- Click Develop and then Show Web Inspector
- Select the Network tab
- Click the circle with three lines icon and select Preserve Log
- Go to the Admin Portal and select Single sign-on
- Enter your email address and click Submit
- Click the row, then select Headers
- Scroll down to Request Data, then copy and paste the information into a text file
Comments
0 comments
Please sign in to leave a comment.