Troubleshoot Your OIDC SSO Configuration

Overview

This article describes troubleshooting steps for common issues encountered with the Single Sign-On (SSO) configuration in the Syniti Knowledge Platform (SKP) that uses OpenID Connect (OIDC) protocol. This article will help you diagnose and resolve the OIDC SSO configuration issues efficiently.

Note
The error messages described below must be considered as examples and may differ based on your identity provider (IdP).

Troubleshoot the OIDC Configuration in the SKP

Log into the SKP using the Syniti provisioned administrator account.
Access Admin > Single Sign-On.
Click the Edit icon on the SSO Configuration card to modify the OIDC configuration based on your IdP. Use the following table to troubleshoot your OIDC SSO configuration:

Error Message	Possible Issues	Remediation
Unrecognized login. Double-check your credentials and try again.	You may have entered an incorrect email address, or an email address with a domain that is not added to the trusted domains for your tenant in the SKP. You may have not whitelisted or trusted your organization’s IdP URL within Syniti’s network.	Submit a request to Syniti Support with your organization’s: required domains to get it added and activated for your tenant in the SKP before configuring the SSO feature. IdP URL to whitelist or trust within Syniti’s network.
Your request resulted in an error.	You may have entered an incorrect Client ID value while configuring SSO in the SKP.	Enter the correct Client ID from the new application created for the SKP in your IdP.
You are not authorized to log in. Please contact an administrator.	You may get this error message in anyone of the following scenarios while configuring SSO in the SKP: Incorrect or Inactive Client Secret Incorrect JWKS_URI Incorrect Token_URL Incorrect User Metadata attributes Profile and Email scopes were not entered	Perform the following actions on the Edit Single Sign-On page: Incorrect or Inactive Client Secret: Copy and paste the correct Client Secret from the new application created for the SKP. Other Scenarios: Ensure that you’re entering required scopes, User Metadata attributes, and correct endpoints from your IdP’s metadata URI mentioned in the Set Up OIDC SSO in the SKP section.
We couldn't find the page you were looking for.	You may have entered the Login or Logout URL incorrectly while configuring SSO in the SKP.	Ensure that you’re entering correct Login and Logout URLs or endpoints from your IdP’s metadata URI mentioned in the Set Up OIDC SSO in the SKP section.
Your request resulted in an error. One or more scopes are not configured for the authorization server resource. Requests for ID tokens or access tokens with OpenID scopes require the 'openid' scope.	You may not have entered the required token scopes or entered the token scopes in incorrect format.	Token scopes must be entered as a space-delimited list. Syniti requires the following three token scopes entered as a space-delimited list: openid profle email

Troubleshoot Errors in the IdP

If you experience errors in your IdP, Syniti suggests using the support and tools that your IdP provides.

Error Message	Possible Issues	Remediation
Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings.	You may have incorrectly entered Syniti’s Sign-In Redirect URI in the new application configured in your organization’s IdP.	Enter Syniti’s Sign-In Redirect URI that corresponds to your SKP tenant region. Refer to Set Up the IdP section for more information.
Your request resulted in an error. The 'post_logout_redirect_uri' parameter must be a Logout redirect URI in the client app settings.	You may have incorrectly entered Syniti’s Sign-Out Redirect URI in the new application configured in your organization’s IdP.	Enter Syniti’s Sign-Out Redirect URI that corresponds to your SKP tenant region. Refer to Set Up the IdP section for more information.
Unable to sign in.	The email address entered for the user is not available in your IdP’s directory.	Contact your IdP’s Administrator to get your account added and assigned to the new application created for the SKP.
User is not assigned to the client application.	The email address entered for the user is not assigned to the new application created for the SKP. The email address is not set as username for the user.	Contact your IdP’s Administrator to get your account assigned to the new application created for the SKP.

Deactivate OIDC SSO

Warning!
Deactivating OIDC SSO may leave your users unable to access the SKP with your organization’s credentials. Deactivate OIDC SSO only after contacting Syniti Support and when all of your organization’s user accounts are provisioned with Syniti’s trusted domain such that they can log in using the SKP-initiated sign-on page.

You can either deactivate the OIDC SSO configuration to use the password authentication with the SKP account or edit the configuration details if your organization moves to a new IdP with the OIDC protocol.

Should there be a need for support when your organization moves to a new IdP, contact Syniti Support.

To deactivate OIDC SSO:

Log into the SKP using the Syniti provisioned administrator account. For example, test.user@syniti.com. The SKP-initiated sign-on page is displayed.
SKP-initiated sign-on page
Enter your Syniti provisioned administrator account’s Username and Password.
Click Sign In.
Access Admin > Single Sign-On.
Turn off the Active toggle button to deactivate the SSO configuration. This action allows users to access the SKP using the password authentication with the SKP account.
Note
Skip to Step 6 if you are intending to change the OIDC configuration for your new IdP.
Click the Edit icon on the SSO Configuration card to modify the OIDC configuration based on your new IdP.

Switch to SAML

You cannot delete an OIDC SSO configuration or switch to SAML 2.0 protocol once it is set up.

To delete an OIDC SSO configuration or change the SSO protocol to SAML 2.0, you must contact Syniti Support.