LATEST VERSION: 1.5 - CHANGELOG
Single Sign-On v1.5

Troubleshooting Plan-to-Plan OIDC Integration

This topic explains how to resolve common errors that can arise when you configure a Single Sign-On (SSO) partnership between two SSO service plans, one acting as an Identity Provider (IDP) and one acting as a Relying Party (RP).

A blank service provider login screen

Cause

  • The discovery URL is incorrect or unavailable. No link appears on the login page.
  • This error can occur if you do not enable Skip SSL Connection and the IDP service plan is on a PCF instance that uses a self-signed certificate.

Authorization Request Error

An invalid authorization request error message.

Cause

You may have configured your OAuth client ID incorrectly.

401 Unauthorized

A 401 error message.

Cause

You may have configured your OAuth client secret incorrectly.

405 Method Not Allowed

A 405 error message.

Cause

  • You may have ommitted the openid scope in the IDP configuration on the RP service plan.
  • You may be requesting the wrong scopes, or scopes that are not supported by the other SSO plan. Confirm that you are only requesting openid scopes.

Cannot determine username with given credentials

An error message explaining that the service cannot determine a username.

Cause

The username you used may not have a value mapped to it. In the IDP attributes, map the “username” attribute to “username.”

Invalid redirect

An incorrect authorization request error message.

Cause

You may have configured the authorized redirect URI incorrectly. Confirm that your callback URL is entered correctly as an authorized redirect URI for the client configurations on the IDP service plan.

Create a pull request or raise an issue on the source for this page in GitHub