Version
Cb Response 5.2.x, 6.x
Issue
A user is unable to login to the Cb Response console though SSO. This is occurring for all users during initial implementation or for a new user with a unique user field
Symptoms
URL after failed login contains "err_code=1" or "err_code=2" and /var/log/cb/nginx/access.log shows a failed authentication on the server. A user is able to login without SSO
Cause
Either the user is invalid or there is a configuration issue
Solution
- Determine if the user is valid. The error codes are associated with the following cause:
- err_code=1 indicates "invalid user"
Add the user in your integrated user database - err_code=2 indicates all other errors
Follow below steps
- Enable Verbose Debugging for SSO/SAML
- Reproduce the authentication issue and review verbose logs:
tail -f /var/log/cb/coreservices/debug.log |
- Make adjustments to the attribute mapper and sso configuration file:
- If the process gets stuck making an external request, review the sso configuration: /etc/cb/sso/sso.conf
- If there is a "validation rules" error, massage the data in the attribute mapper /etc/cb/sso/attr_map.py
<err> cb.auth.auth - The value 'FIELD' does not meet input validation rules for field 'FIELD' |
Following any changes, verify that the script can compile with this command:
python /etc/cb/sso/attr_map.py |
Note: This can compile cleanly if you don't receive any errors
- Restart services and see if the issue is resolved
service cb-enterprise restart |
- Remove verbose authentication logging in Enable Verbose Debugging for SSO/SAML