Troubleshooting

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.

Page last updated:

This topic describes how to resolve common errors that arise when configuring a single sign-on partnership between Google Cloud Platform (GCP) OpenID Connect (OIDC) and Single Sign‑On for VMware Tanzu Application Service.

Symptom:

Dialog box says welcome to Example.
Followed by Email and Password fields and a sign-in button.

Explanation:

  • Incorrect or unavailable discovery URL. No link will appear on the login page.

No OAuth Client Found

Symptom:

The error message page reads,
Google. 401. That's an error. Error: invalid_client. The OAuth client was not found.
The error message is followed by a dropdown for Request Details.

Explanation:

  • Incorrect OAuth Client ID configured.

Unauthorized

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
401 Unauthorized.

Explanation:

  • Incorrect OAuth client secret configured.

Redirect URI Mismatch

Symptom:

The partially redacted error message page reads,
Google. 400. That's an error. Error: redirect_uri_mismatch. The redirect URI in the
request, (partially redacted URL beginning with https://example.login),
does not match the ones authorized for the OAuth client.
Visit (partially redacted URL) to update the authorized redirect URIs.

Explanation:

  • Incorrect authorization redirect URI on OAuth Client.

Empty Username

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
Username cannot be empty.

Explanation:

  • user_name attribute was not mapped to email.

Unable to map claim to a username

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
Username cannot be empty.

Explanation:

  • The scope for “email” was not configured. Select the “email” scope in your identity provider configurations.