Single-Sign-On (SSO) Troubleshooting
This guide will cover the different issues associated with using or configuring Single Sign-On (SSO) and demonstrate how the Descoper and the tenant admin can troubleshoot them. This guide is focused on tenant-level SSO using SAML or OIDC.
End user troubleshooting
End user logs can be found in the Audit tab.
Troubleshooting user and group mapping
In the Audit Tab, by searching for "SSO" in the search bar we can find LoginSuccess / LoginFailure and LoginStarted audit events. Inside the audit event, we can find these sections:
Login
LoginSuccess / LoginFailure
LoginStarted
SAML
- IdP SAML response. the SAML response from the IdP. Contains the authenticated user's SAML assertion, including the user's attributes and groups.
- Generated user from IdP SAML response. Contains the derived user object that was generated as a result of the user's assertion in the SAML response.
- Generated roles from IdP SAML response. Contains the derived roles that were generated as a result of the user's assertion in the SAML response.
OIDC
- Identity Provider (IdP) OIDC response. Contains the response from the IdP's
userinfoendpoint, including the user's profile, groups, and roles. - Generated user from the IdP OIDC response. Contains the derived user object and roles that were generated as a result of the IdP's
userinfoendpoint response.
Troubleshooting SSO Configuration
Using Descope's [self-service capabilities]/self-service-provisioning) allows customer's IT admins or any other person of interest to check the configuration they just set, by having them test and sign in with their user at the end of the wizard:
Upon successful SSO authentication, the customer will be seamlessly guided back to the wizard. This is confirmed by a successful login with the correct SAML / OIDC response, and the User / Group objects will be readily available for further actions.
