# Troubleshooting SSO Connections When using SSO to log into SingleStore Helios the most common issues encountered include: * Attempting to perform an IdP-initiated login with SAML Response. * An incorrect SSO subject type (SAML only). * Incorrect SSO assertions for email, first name, and last name  (SAML only). * Unsigned SAML Responses. * Not providing a fully qualified domain name (FQDN) when a domain is requested on the login page. * An incomplete or incorrect set of scopes (OIDC only). * Incorrect URLs in configurations. **SAML Chrome Pane**l can be used for debugging SAML connections. > **📝 Note**: The following instructions require a Chrome browser. 1. Install the [SAML Chrome Panel](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en) extension (or an equivalent). 2. Open Chrome Developer Tools: 1. Click the Chrome hamburger menu (three vertical dots in the top right-hand corner of Chrome) and select `More Tools` -> `Developer Tools` 2. Click `View` in the Chrome menu bar and select `Develope`r -> `Developer Tools`. 3. In the SAML Chrome Panel, click the `SAML` tab. 4. In the Chrome address bar, navigate to the Cloud Portal (). 5. *Proceed to the next step at your first failure*. Under `Actions` click `Perform Test Login`. Log into your account using your Identity Provider, and allow it to redirect back to the Cloud Portal. 6. Upon receiving an authentication error, check the SAML Chrome Panel. There should be a host of XML output displayed. 7. In the XML output verify that: * The endpoint is correct for your Identity Provider configuration. * The SSO subject is set to `“persistent”`. * There are SSO assertions for email, first name, and last name that match the names configured in the connection. 8. If you are still having trouble after verifying all of the above, copy this XML output, create a [SingleStore Support ticket](https://support.singlestore.com/), and paste this XML output into the ticket. ## Testing in the SingleStore Helios Portal Perform the test logins as follows:: 1. In the  `Authentication actions` menu for each Identity Provider connection, select ` Perform Test Login`. 2. That should end up at an error page that says “*There was an error with authentication*” and then gives a reason why the login was not successful. 3. If you do not get there, then from that same menu, select  `Debug Logins`. 4. That will list recent login attempts and provide some details about what went wrong.  The  `Login Step` column is the most important because it will indicate how far along the authentication process gets. 5. From this screen, there is also `Test Login`  which is the same as `Perform Test Login` in the previous menu. ## How to Debug SSO Connections 1. Test the new connection with the link from the UI. 2. Review the last login attempt screen - on the last login screen, you can view how far each login attempt progressed. Look at the flow of authentication steps below as a reference. If login does not succeed, knowing where it failed is key to solving the issue. 3. The flow of authentication steps: 1. Redirect to customer Identity Provider - this happens when you have figured out which SSO configuration to use and redirect to the customer IdP. 2. Record customer IdP approval - when the user has logged into the customer IdP and it has redirected back to SingleStore Helios. 3. IdP authentication - the terms of service need signing. 4. IdP authentication - the terms of service are signed. 5. IdP authentication is completed. 6. IdP authentication is complete and the auth code for the client is generated, and redirected to the authentication client (SingleStore Helios Portal) with an auth code. 7. Authentication is fully completed when the code is exchanged for the access token. The client has exchanged the auth code for an access/refresh token. ## Adding and Verifying Domains 1. SSO is always based on matching domain names. 2. Each connection has one or more domains. 3. Use `Actions` -> `Update Connection` to edit the set of domains. 4. After adding a domain, it must be verified before it can be used. 5. Domains can be “live” or not. 6. A domain can only be “live” in one connection at a time. 7. An unverified domain is not really active. *** Modified at: November 6, 2023 Source: [/cloud/security/portal-access/troubleshooting-sso-connections/](https://docs.singlestore.com/cloud/security/portal-access/troubleshooting-sso-connections/) (An index of the documentation is available at /llms.txt)