Identity Provider Claims Configuration
To expedite SSO troubleshooting, always check for faulty configuration of IdP claims first.
-
Use a new incognito window on your browser to visit the test URL that is provided on the SSO page in the Admin Console
The SAML claims mapping is displayed in this format. If you do not see this screen but instead an error message, then please check that the basic settings are correctly configured: Login URL, Certificate and XML signature key name
-
Confirm each claim is configured as you require:
Compulsory Claims
- First Name
- Last Name
- Role
- Group Mapping
- External Id
Be extra cautious when checking roles — if you are checking with an existing, rather than a test user, the claim displayed in the role field may not be accurate and just reflect the existing user attributes.
-
If the claims are not populating as you expect, inspect the SAML Response sent to BRYTER from your IdP.
-
Make sure you are logged out of both BRYTER and your IdP.
- Open the Inspect option of your browser and select the Network tab. Depending on your browser, you may need to navigate to View Source to see the content.
-
Find the request called endpoint and copy the content from the the tab Payload.
-
Paste the content into a base 64 decoder such as https://www.base64decode.org/. You are then ready to confirm each claim is configured correctly. To make navigation through the code easier, you could then paste the de-coded text into an XML formatter.
-
Navigate to the bottom of the request where you will find the claims configuration. Check that each claim is present in the request and that the values for each claim reflect those in the SSO configuration in BRYTER admin console.
-
The values of the attributes configured in BRYTER must exactly match those configured in this code. The Attribute Names do not need to match exactly but the values do.
- [Compulsory]
<Attribute Name="first name">
- [Compulsory]
<Attribute Name="last name">
- [Compulsory]
<Attribute Name="email">
- [Optional]
<Attribute Name="ID">