Version

Cb Response 5.2.x, 6.x

Issue

A user is unable to login to the Cb Response console though SSO. This is occurring for all users during initial implementation or for a new user with a unique user field

Symptoms

URL after failed login contains "err_code=1" or "err_code=2" and /var/log/cb/nginx/access.log shows a failed authentication on the server. A user is able to login without SSO

Cause

Either the user is invalid or there is a configuration issue

Solution

1. Determine if the user is valid. The error codes are associated with the following cause:
   1. err_code=1 indicates "invalid user"
      Add the user in your integrated user database
   2. err_code=2 indicates all other errors
      Follow below steps
2. Enable Verbose Debugging for SSO/SAML
3. Reproduce the authentication issue and review verbose logs:
   

   tail -f /var/log/cb/coreservices/debug.log

4. Make adjustments to the attribute mapper and sso configuration file:
   1. If the process gets stuck making an external request, review the sso configuration: /etc/cb/sso/sso.conf
   2. If there is a "validation rules" error, massage the data in the attribute mapper /etc/cb/sso/attr_map.py
      

      <err> cb.auth.auth - The value 'FIELD' does not meet input validation rules for field 'FIELD'

      Following any changes, verify that the script can compile with this command:
      

      python /etc/cb/sso/attr_map.py

      Note: This can compile cleanly if you don't receive any errors 

5. Restart services and see if the issue is resolved
   

   service cb-enterprise restart

6. Remove verbose authentication logging in Enable Verbose Debugging for SSO/SAML