topics
This section lists common SSO errors, and how to resolve them.
Error Message: Your user has not been assigned a role
Cause
For a user in classic orgs or roles, the user is not passing a role that matches the IDP name of a role found in CloudHealth under Setup > Admin > Roles.
For a user in FlexOrgs or role documents, the user is not passing a role that matches a key/value pair defined against a user group.
Resolution
There are two different resolutions depending on whether you are using classic organizations or FlexOrgs.
Classic Organizations or Roles
The user should verify from their identity provider that they are passing across a value that matches the IdP name of a configured role.
For example, the pre-configured Administrator role requires a role value in the user’s assertion that matches the Administrator’s role name of cloudhealth-administrator.
The way a role is passed differs based on the identity provider:
- Active Directory Federation Services (ADFS) - Each role claim is tied to a security group in Active Directory. Ensure that the user belongs to the group associated with the role claim in Active Directory to ensure they are passing the correct role value.
- Azure Active Directory (AD) - Each group the user belongs to in Azure AD is passed as the role value. Ensure that the user belongs to the group associated with that role. For example, the cloudhealth-administrators group in Azure AD corresponds to the Administrator role in CloudHealth.
- Okta - Groups starting with the prefix
cloudhealth-are passed as roles in the user’s assertion when signing in through SSO. Confirm the user’s group membership in Okta, and ensure that they belong to the correctcloudhealth-group.
FlexOrgs or Role Documents
The key/value pair is set by the user. To confirm that the user is passing the correct value, from CloudHealth, go to Setup > Admin > User Groups and open the user group the user should be assigned to. Check that the SSO key/value section under the Details tab matches the expected value.
For example, UserGroup A has the following SSO key and SSO value pair in CloudHealth: Department - Finance. Within the IdP, open the user’s account and confirm that the value found under the Department field matches the value in the Details tab for the user group.
Users can also be manually assigned to user groups or automatically assigned through SSO. You can manually assign a user when the correct values are not being passed from the IdP.
To manually assign a user, go to Setup > Admin > User Groups in CloudHealth and open the user group the user should be assigned to. From the Members tab, select Add members. The next time the user signs in, they are assigned to the user group, given a role document, and access to Flex Orgs as defined in the user group’s Assignment tab.
Error Message: Your user has not been assigned an organization
Cause
The User-Organization Association setting has not been configured under Setup > Admin > Single Sign On.
Resolution
When the User-Organization Association setting is disabled, the identity provider is expected to pass a value in the Organization attribute that matches the IdP name of an Organization found in CloudHealth under Setup > Admin > Organizations. Ensure that the values match on both the IdP and CloudHealth.
If the attribute has not been configured, enable this setting so new users are added to the Default Organization. You can then add and remove users as needed.