Troubleshooting SSO Connections

When using SSO to log into SingleStore Helios the most common issues encountered include:

  • Attempting to perform an IdP-initiated login with SAML Response.

  • An incorrect SSO subject type (SAML only).

  • Incorrect SSO assertions for email, first name, and last name  (SAML only).

  • Unsigned SAML Responses.

  • Not providing a fully qualified domain name (FQDN) when a domain is requested on the login page.

  • An incomplete or incorrect set of scopes (OIDC only).

  • Incorrect URLs in configurations.

SAML Chrome Panel can be used for debugging SAML connections.


The following instructions require a Chrome browser.

  1. Install the SAML Chrome Panel extension (or an equivalent).

  2. Open Chrome Developer Tools:

    1. Click the Chrome hamburger menu (three vertical dots in the top right-hand corner of Chrome) and select More Tools -> Developer Tools

    2. Click View in the Chrome menu bar and select Developer -> Developer Tools.

  3. In the SAML Chrome Panel, click the SAML tab.

  4. In the Chrome address bar, navigate to the Cloud Portal (

  5. Proceed to the next step at your first failure. Under Actions click Perform Test Login. Log into your account using your Identity Provider, and allow it to redirect back to the Cloud Portal.

  6. Upon receiving an authentication error, check the SAML Chrome Panel. There should be a host of XML output displayed.

  7. In the XML output verify that:

    • The endpoint is correct for your Identity Provider configuration.

    • The SSO subject is set to “persistent”.

    • There are SSO assertions for email, first name, and last name that match the names configured in the connection.

  8. If you are still having trouble after verifying all of the above, copy this XML output, create a SingleStore Support ticket, and paste this XML output into the ticket.

Testing in the SingleStore Helios Portal

Perform the test logins as follows::

  1. In the  Authentication actions menu for each Identity Provider connection, select  Perform Test Login.

  2. That should end up at an error page that says “There was an error with authentication” and then gives a reason why the login was not successful.

  3. If you do not get there, then from that same menu, select  Debug Logins.

  4. That will list recent login attempts and provide some details about what went wrong.  The  Login Step column is the most important because it will indicate how far along the authentication process gets.

  5. From this screen, there is also Test Login  which is the same as Perform Test Login in the previous menu.

How to Debug SSO Connections

  1. Test the new connection with the link from the UI.

  2. Review the last login attempt screen - on the last login screen, you can view how far each login attempt progressed. Look at the flow of authentication steps below as a reference. If login does not succeed, knowing where it failed is key to solving the issue.

  3. The flow of authentication steps:

    1. Redirect to customer Identity Provider - this happens when you have figured out which SSO configuration to use and redirect to the customer IdP.

    2. Record customer IdP approval - when the user has logged into the customer IdP and it has redirected back to SingleStore Helios.

    3. IdP authentication - the terms of service need signing.

    4. IdP authentication - the terms of service are signed.

    5. IdP authentication is completed.

    6. IdP authentication is complete and the auth code for the client is generated, and redirected to the authentication client (SingleStore Helios Portal) with an auth code.

    7. Authentication is fully completed when the code is exchanged for the access token. The client has exchanged the auth code for an access/refresh token.

Adding and Verifying Domains

  1. SSO is always based on matching domain names.

  2. Each connection has one or more domains.

  3. Use Actions -> Update Connection to edit the set of domains.

  4. After adding a domain, it must be verified before it can be used.

  5. Domains can be “live” or not.

  6. A domain can only be “live” in one connection at a time.

  7. An unverified domain is not really active.

Last modified: November 6, 2023

Was this article helpful?