Skip Navigation
Expand
Troubleshooting "Single Sign-On is not configured correctly" error messages
Answer ID 11809   |   Last Review Date 01/28/2021

How can I see the reason an agent's single sign on failed?

Environment:

Oracle B2C Service sites using a single sign on (SAML2 / SSO) authentication flow for agents

Issue:

An agent is unable to log in and receives an error message like the following:

Single Sign-On is not configured correctly. Please contact your system administrator.

Resolution:

As the administrator, you should resolve this issue. To get the necessary information, review the site's security log and take action according to the details in the error message(s) recorded there.

For information on how to access the security log, see Accessing Site Logs or the documentation for the Oracle B2C Service version you are using.

Notes:

Here is an example and some possible resolutions. There are more reasons you could see this generic message, and you should resolve the issue according to the information in the log entry.

Error:

Single Sign-On is not configured correctly. Please contact your system administrator.

Log entry:

Error validating certificate that was used to sign the SSO token.

The certificate used by the identity provider (IdP) was correct, but the rest of the certificate chain was needed to validate the assertion. Below are two different possible ways to resolve this. There are other ways. The security and other implications of your chosen configuration should be carefully evaluated by your organization.

  • You could upload the other certificate(s) to validate the entire chain. This is done with the File Manager tool, which (like the logs) is located by default under Site Configuration and is not available in the Browser UI.
  • In versions 20B and later, you could disable verification of the trust chain. Once again in Agent Desktop only, navigate to Single Sign-On Configurations wherever it is located in your navigation set. This tool is not included automatically. Open the identity provider, then expand SAML Token Parameters and Certificates. Check the "Do not verify trust chain for certificates" box to require the certificate to match only the certificate presented by the IdP. If an alternate certificate is specified here, the assertion would of course only match one of them in order to be valid.

Popular Answers About Single Sign On may also be useful to you.

Cause:

Unauthorized users should not see detailed error information. This restriction is intentional.