Troubleshooting SSO Connections

Attempting to perform an IdP-initiated login with SAML Response.
An incorrect SSO subject type (SAML only).
Incorrect SSO assertions for email, first name, and last name (SAML only).
Unsigned SAML Responses.
Not providing a fully qualified domain name (FQDN) when a domain is requested on the login page.
An incomplete or incorrect set of scopes (OIDC only).
Incorrect URLs in configurations.

SAML Chrome Panel can be used for debugging SAML connections.

Note

The following instructions require a Chrome browser.

Install the SAML Chrome Panel extension (or an equivalent).
Open Chrome Developer Tools:
1. Click the Chrome hamburger menu (three vertical dots in the top right-hand corner of Chrome) and select More Tools -> Developer Tools
2. Click View in the Chrome menu bar and select Developer -> Developer Tools.
In the SAML Chrome Panel, click the SAML tab.
In the Chrome address bar, navigate to the Cloud Portal (https://portal.singlestore.com/).
Proceed to the next step at your first failure. Under Actions click Perform Test Login. Log into your account using your Identity Provider, and allow it to redirect back to the Cloud Portal.
Upon receiving an authentication error, check the SAML Chrome Panel. There should be a host of XML output displayed.
In the XML output verify that:
- The endpoint is correct for your Identity Provider configuration.
- The SSO subject is set to “persistent”.
- There are SSO assertions for email, first name, and last name that match the names configured in the connection.
If you are still having trouble after verifying all of the above, copy this XML output, create a SingleStore Support ticket, and paste this XML output into the ticket.

Testing in the SingleStore Helios Portal

Perform the test logins as follows::

In the Authentication actions menu for each Identity Provider connection, select Perform Test Login.
That should end up at an error page that says “There was an error with authentication” and then gives a reason why the login was not successful.
If you do not get there, then from that same menu, select Debug Logins.
That will list recent login attempts and provide some details about what went wrong. The Login Step column is the most important because it will indicate how far along the authentication process gets.
From this screen, there is also Test Login which is the same as Perform Test Login in the previous menu.

Test the new connection with the link from the UI.
Review the last login attempt screen - on the last login screen, you can view how far each login attempt progressed. Look at the flow of authentication steps below as a reference. If login does not succeed, knowing where it failed is key to solving the issue.
The flow of authentication steps:
1. Redirect to customer Identity Provider - this happens when you have figured out which SSO configuration to use and redirect to the customer IdP.
2. Record customer IdP approval - when the user has logged into the customer IdP and it has redirected back to SingleStore Helios.
3. IdP authentication - the terms of service need signing.
4. IdP authentication - the terms of service are signed.
5. IdP authentication is completed.
6. IdP authentication is complete and the auth code for the client is generated, and redirected to the authentication client (SingleStore Helios Portal) with an auth code.
7. Authentication is fully completed when the code is exchanged for the access token. The client has exchanged the auth code for an access/refresh token.