Overview
Single Sign-On is a powerful tool for productivity but sometimes, as multiple applications are concerned, it can be a hassle to troubleshoot when something goes wrong.
Here are a few tips to help you understand what is going on between your IdP and your SP.
Not familiar with the terms Identity Provider, IdP, Service Provider, SP? You can find a glossary in this article.
Check your IdP configuration
- First, make sure that the configuration you have in your Identity Provider is consistent with the information from your SP:
- the Entity ID of the SP
- the ACS URL
- Make sure that there is no typo or missing characters.
- Ensure that the claims are defined in the IdP: at least an akeneo_uid attribute must be declared and must send the information that will be checked against the username in the PIM.
- Check if the users are created in your authentication server and are allowed to access the PIM.
Check your PIM configuration
- On the PIM's side, make sure that the information regarding the IdP are correct:
- the Entity ID of the IdP
- the Sign-on URL
- the Logout URL
- the certificate
- Check if the akeneo_uid information received from the IdP corresponds to real usernames in the PIM. If not, the SSO process will not be able to match the akeneo_uid with the username from the PIM and access will be denied.
Have a look at the technical log files
The Single Sign-On configuration page in the PIM allows you to download the technical log files regarding the SSO process authentication. The log files can be downloaded as a zip archive containing the logs for the previous days, one file per day, for the last 10 days.
Go deeper into your IdP
Many Identity Providers have tools to diagnose a faulty or non working SSO. Searching your IdP documentation on 'Troubleshoot SSO' can help you finding tools.