Troubleshooting Single Sign-On Errors
The following topics provide possible causes for single sign-on (SSO) issues and describe how to troubleshoot:
Missing Redirect URI
A 400 error occurs when logging in to the portal with SSO if the external identity provider application doesn’t have the proper redirect URIs defined.
To troubleshoot this issue, ensure all of the necessary redirect URIs are included:
To get the following redirect URIs:
-
salesforceOrganizationId: In Salesforce, go to Setup > Company Information.
-
authProviderURLSuffix: In Salesforce, go to Setup > Auth Providers and select your auth provider URL Suffix.
-
domain: In Salesforce, go to Setup > My Domain > Current My Domain URL.
Insufficient Privileges
An insufficient privileges error occurs after logging in to the portal using SSO.
To troubleshoot this issue, publish the portal from the Builder.
-
Navigate to Anypoint Platform, enter your username and password, and click Sign in.
-
From Anypoint Platform, select API Experience Hub.
-
Go to From the Manage your API portal page, click Preview and publish your portal.
-
Click Publish.
API Carousel Not Loading
After logging in to the portal successfully, you can’t see the APIs in the API Carousel.
A few issues can cause this error to occur:
-
The external identity provider group mapping is missing from Access Management.
-
The Auth provider Default Scopes field is not configured properly.
External Identity Provider Group Mapping Is Missing or Misconfigured
To troubleshoot this issue, add the external identity provider group mapping in Access Management for the portal member user:
-
Go to Access Management > Teams.
-
Click AEH Portal Guests and click AEH Portal Members.
-
Click External IdP Groups.
-
From Group Name, enter AEH Members.
-
From Provider Name, select the name of the corresponding Salesforce identity provider.
-
From Type, select Member and click Add.
Auth Provider Default Scopes Field Isn’t Configure Properly
To troubleshoot this issue, ensure the Default Scopes field has the profile openid email groups value.
-
In Salesforce, go to Setup.
-
In the Quick Find box, enter
Auth
, and then select Auth Providers. -
Click Edit.
-
In the Auth Provider Detail section, enter
profile openid email groups
. -
Click Save.
Can’t Log In
When trying to log in to the portal with an identity provider, you see a Problem Logging In error that the third-party identifier can’t be found. An incorrect portal URL can cause issues logging in.
To troubleshoot this issue, ensure that the URL is properly configured. For Okta, the /userinfo
part of the URL path must be lowercase.