How can I see the reason an agent's single sign on failed?
Oracle B2C Service sites using a single sign on (SAML2 / SSO) authentication flow for agents
An agent is unable to log in and receives an error message like the following:
As the administrator, you should resolve this issue. To get the necessary information, review the site's security log and take action according to the details in the error message(s) recorded there.
Here is an example and some possible resolutions. There are more reasons you could see this generic message, and you should resolve the issue according to the information in the log entry.
The certificate used by the identity provider (IdP) was correct, but the rest of the certificate chain was needed to validate the assertion. Below are two different possible ways to resolve this. There are other ways. The security and other implications of your chosen configuration should be carefully evaluated by your organization.
- You could upload the other certificate(s) to validate the entire chain. This is done with the File Manager tool, which (like the logs) is located by default under Site Configuration and is not available in the Browser UI.
- In versions 20B and later, you could disable verification of the trust chain. Once again in Agent Desktop only, navigate to Single Sign-On Configurations wherever it is located in your navigation set. This tool is not included automatically. Open the identity provider, then expand SAML Token Parameters and Certificates. Check the "Do not verify trust chain for certificates" box to require the certificate to match only the certificate presented by the IdP. If an alternate certificate is specified here, the assertion would of course only match one of them in order to be valid.
Popular Answers About Single Sign On may also be useful to you.
Unauthorized users should not see detailed error information. This restriction is intentional.