Contact Us 1-800-596-4880
  1. Homepage
  2. API Experience Hub
  3. Troubleshooting

  4. Troubleshooting Single Sign-on Errors

Troubleshooting Single Sign-on Errors

The following topics provide possible causes for single sign-on (SSO) issues and describe how to troubleshoot:

Missing Redirect URI

A 400 error occurs when logging in to the portal with SSO if the external identity provider application doesn’t have the proper redirect URIs defined.

To troubleshoot this issue, make sure to include necessary redirect URIs:

To get the following redirect URIs:

  • salesforceOrganizationId: In Salesforce, go to Setup > Company Information.

  • authProviderURLSuffix: In Salesforce, go to Setup > Auth Providers and select your auth provider URL Suffix.

  • domain: In Salesforce, go to Setup > My Domain > Current My Domain URL.

Insufficient Privileges

An insufficient privileges error occurs after logging in to the portal using SSO.

To troubleshoot this issue, publish the portal from the Builder.

  1. Navigate to Anypoint Platform, enter your username and password, and click Sign in.

  2. From Anypoint Platform, select API Experience Hub from the list of products.

  3. From the Manage your API portal page, click Preview and publish your portal.

  4. Click Publish.

After logging in to the portal successfully, you can’t see APIs in the API Carousel.

A few issues can cause this error to occur:

  • The groups claim is missing in the identity provider’s application configuration.

    To troubleshoot this issue, add the claim in the application and make sure at least one group is being sent.

  • The external identity provider group mapping is missing from Access Management.

    To troubleshoot this issue, add the external identity provider group mapping in Access Management for the portal member user:

    1. Go to Access Management > Teams.

    2. Click AEH Portal Guests and click AEH Portal Members.

    3. Click External IdP Groups.

    4. From Group Name, enter AEH Members.

    5. From Provider Name, select the name of the corresponding Salesforce identity provider.

    6. From Type, select Member and click Add.

  • The Auth provider Default Scopes field isn’t configured properly.

    To troubleshoot this issue, make sure the Default Scopes field has the profile openid email groups value.

    1. In Salesforce, go to Setup.

    2. In the Quick Find box, enter Auth, and then select Auth Providers.

    3. Click Edit.

    4. In the Auth Provider Detail section, enter profile openid email groups.

    5. Click Save.

Can’t Log In

When logging in to the portal with an identity provider, you see a Problem Logging In error that the third-party identifier can’t be found. An incorrect portal URL can cause issues logging in.

To troubleshoot this issue, make sure that the URL is correct in the configuration. For Okta, the /userinfo part of the URL path must be lowercase.

Single Sign-on Error

After logging in, Single Sign-On Error shows in the portal. Issues can occur if the SSO or the Salesforce Auth. Provider configuration is incorrect or missing necessary information.

A few issues can cause this error to occur:

  • The Entity ID isn’t the same in both the Salesforce Auth. Provider and the identity provider.

    To troubleshoot this issue for SAML protocol configurations:

    1. Make sure the Entity ID is the same in both the Salesforce Auth. Provider’s Single Sign-On Settings page and the identity provider.

    2. Click SAML Assertion Validation in the Single Sign-On Settings page to check for errors in the assertion.

  • You make changes to Single Sign-On Settings page without uploading the SSO certificate.

    To troubleshoot this issue, make sure you upload the SSO certificate each time you change the Single Sign-On Settings page in Salesforce.

  • The expected claims are missing in the identity provider’s application.

    After logging on using SSO, you see an SSO error with the error details in the URL. An error from the registration handler can cause this error. The most common cause is missing expected claims.

    To troubleshoot this issue, make sure you have the expected claims configured in the application. For more information, see Required Claims and Attributes.

Portal Errors

After logging in to the portal using SSO, you get an error in the portal.

These issues can cause the error if the identity provider’s application has missing or incorrect information:

  • Incorrect URLs

  • The member isn’t assigned to a user or group in the application

To troubleshoot these issues:

  • Review the URLs in identity provider’s application SSO configuration and the Auth. Provider/Single Sign-On page from Salesforce Setup to make sure you’re using the correct single sign-on URL.

  • Make sure the member is assigned to a user or a group in the identity provider application.

Issues Testing the SSO Configuration

Issues can occur when changing the SSO configuration, and then testing the configuration.

To troubleshoot this issue, make sure you have a clean Salesforce and Anypoint session before testing SSO:

  1. Log out of the portal, then log in again with the SSO user.

    This step ensures the registration handler executes properly.

  2. Delete the Anypoint Platform token from the Named Credential.

    This step clears the Anypoint Platform user session and triggers authentication with the new configuration information to send to Anypoint Platform:

    1. In Salesforce, go to Setup.

    2. In the Quick Find box, enter named credentials, and then select Named Credentials.

    3. Click AEH_Anypoint.

    4. In the External Data User Authentications section, locate the user you are testing with and click Del.