Other

Single-Sign-On (SSO) Troubleshooting

This guide will cover the different issues associated with using or configuring Single Sign-On (SSO) and demonstrate how the Descoper and the tenant admin can troubleshoot them. This guide is focused on tenant-level SSO using SAML or OIDC.

End user troubleshooting

End user logs can be found in the Audit tab.

Troubleshooting user and group mapping

In the Audit Tab, by searching for "SSO" in the search bar we can find LoginSuccess / LoginFailure and LoginStarted audit events. Inside the audit event, we can find these sections:

Login

LoginSuccess / LoginFailure

audit login success

LoginStarted

audit login started

SAML

  • IdP SAML response. the SAML response from the IdP. Contains the authenticated user's SAML assertion, including the user's attributes and groups.
  • Generated user from IdP SAML response. Contains the derived user object that was generated as a result of the user's assertion in the SAML response.
  • Generated roles from IdP SAML response. Contains the derived roles that were generated as a result of the user's assertion in the SAML response.

OIDC

  • Identity Provider (IdP) OIDC response. Contains the response from the IdP's userinfo endpoint, including the user's profile, groups, and roles.
  • Generated user from the IdP OIDC response. Contains the derived user object and roles that were generated as a result of the IdP's userinfo endpoint response.

Troubleshooting SSO Configuration

Using Descope's [self-service capabilities]/self-service-provisioning) allows customer's IT admins or any other person of interest to check the configuration they just set, by having them test and sign in with their user at the end of the wizard:

sso config saml button

Upon successful SSO authentication, the customer will be seamlessly guided back to the wizard. This is confirmed by a successful login with the correct SAML / OIDC response, and the User / Group objects will be readily available for further actions.

sso config saml response

sso config saml response user and groups

Was this helpful?

On this page