Troubleshooting Plan-to-Plan OIDC Integration
Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.
This topic explains how to resolve common errors that can arise when you configure a single sign-on partnership between two Single Sign‑On for VMware Tanzu service plans, one acting as an Identity Provider (IDP) and one acting as a Relying Party (RP).
No link for OIDC, or the Service Provider Login page is blank
Cause
- The discovery URL is incorrect or unavailable. No link appears on the login page.
- This error can occur if you do not enable Skip SSL Connection and the IDP service plan is on an instance that uses a self-signed certificate.
Authorization Request Error
Cause
You may have configured your OAuth client ID incorrectly.
401 Unauthorized
Cause
You may have configured your OAuth client secret incorrectly.
405 Method Not Allowed
Cause
- You may have omitted the
openid
scope in the IDP configuration on the RP service plan. - You may be requesting the wrong scopes or scopes that are not supported by the other Single Sign‑On plan. Confirm that you are only requesting
openid
scopes.
Cannot determine username with given credentials
Cause
The username you used may not have a value mapped to it. In the IDP attributes, map the “username” attribute to “username.”
Invalid redirect
Cause
You may have configured the authorized redirect URI incorrectly. Confirm that your callback URL is entered correctly as an authorized redirect URI for the client configurations on the IDP service plan.