Troubleshooting identity provider issues within OpenShift ACS

Updated -

To help in clarifying common confusions regarding SAML and identity providers, below are a few points around identity terminology;

  • Identity Provider (IdP) An entity which provides identity management services such as Okta, Ping, One Login, etc.
  • Service Provider (SP) The entity which receives SAML assertions from the IdP.
  • Assertion Consumer Service URL (ACS URL) The URL provided from the SP over which the SAML assertions are made from the Identity Provider.

SAML

  1. What is the name of the SAML 2.0 provider?
  2. Is the Dynamic or Static configuration option used?
  3. If the Dynamic configuration option is used, have applying the values to the Static configuration been tested? Below are instructions on doing so:

    • Take the IdP issuer from the entityID attribute of the top-level metadata XML file
    • Take the certificate from data under KeyDescriptor use="signing"
    • Take SSO URL from Location attribute of md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    • Select one of the NameIDFormats listed under NameIDFormat (such as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, but you can always try urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, regardless of what’s in the metadata file)
  4. If Static configuration was used and/or tested like above, was information added to the Name/ID Format field?

  5. Is login failing? If yes, please provide a screenshot of the error message.
  6. If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.
  7. A copy of the XML file sent from the IdP to the SP.

OIDC

  1. What is the name of the OIDC provider?
  2. The OIDC discovery configuration.

    • This will be found in the following formats: <issuer>/.well-known/openid-configuration or https://<issuer>/.well-known/openid-configuration.
    • For example; https://accounts.google.com/.well-known/openid-configuration or https://sr-dev.auth0.com/.well-known/openid-configuration
  3. Is login failing? If yes, please provide a screenshot of the error message.

  4. If directed to a non-Red Hat ACS error page, please provide a screen-shot of this.