Troubleshooting Known Issues
This section provides a list of common issues identified during AuthHub migration and directs you to relevant Knowledge Base articles for further assistance.
Using AuthHub SAML
| Issue | Potential Reasons | Knowledge Base Article Reference |
|---|---|---|
Unable to log you in |
- Your email domain is incorrect. -Additional domains are required. |
For more details, see KB article 376048. |
Permission Denied |
Configured incorrect issue URL (Entity ID) in the Tanzu CloudHealth platform. | For more details, see KB article 376038. |
| Required Claims are not configured or incorrectly configured. | For more details, see KB article 376022. | |
Invalid CORS request |
- IDP connection is redirected to the Tanzu CloudHealth app from a tile within Azure AD or Okta. - The URL only supports Service Provider(SP) initiated connections. - Your ACS URL and Callback URL need updating. |
For more details, see KB article 376028. |
IdP Specific Issues
| SSO Provider | Issue | Potential Reasons | Knowledge Base Article Reference |
|---|---|---|---|
JumpCloud |
400 Bad request | IdP Entity ID or issuer already exists under JumpCloud. | For more details, see KB article 376267. |
OneLogin |
Your user has not been assigned a role. | Existing roles claim need an update. | For more details, see KB article 376369. |
For AuthHub Azure AD
| Issue | Potential Reasons | Knowledge Base Article Reference` |
|---|---|---|
Unable to log you in |
Additional domains are required. | For more details, see KB article 376030. |
Domain already exists |
SSO is not unconfigured before the migration. | For more information, see KB article 378020. |
Other Common SSO Issues
Error Message: Your user has not been assigned a role
Potential Reasons
- An incorrectly configured role.
- For a user in classic orgs or roles, the user is not passing a role that matches the IDP name of a role found in Tanzu CloudHealth under Setup > Admin > Roles.
- For a user in FlexOrgs or role documents, the user is not passing a role that matches a key/value pair defined against a user group.
How to Resolve It
There are two different resolutions depending on whether you are using classic organizations or FlexOrgs.
- Classic Organizations or Roles - The user should verify from their identity provider that they are passing across a value that matches the IdP name of a configured role. For example, the pre-configured Administrator role requires a role value in the user’s assertion that matches the Administrator’s role name of Tanzu CloudHealth-administrator. The way a role is passed differs based on the identity provider:
- Active Directory Federation Services (ADFS) - Each role claim is tied to a security group in Active Directory. Ensure that the user belongs to the group associated with the role claim in Active Directory to ensure they are passing the correct role value.
- Azure Active Directory (AD) - Each group the user belongs to in Azure AD is passed as the role value. Ensure that the user belongs to the group associated with that role. For example, the cloudhealth-administrators group in Azure AD corresponds to the Administrator role in Tanzu CloudHealth.
- Okta - Groups starting with the prefix cloudhealth- are passed as roles in the user’s assertion when signing in through SSO. Confirm the user’s group membership in Okta, and ensure that they belong to the correct cloudhealth- group.
- FlexOrgs or Role Documents - The key/value pair is set by the user. To confirm that the user is passing the correct value, from Tanzu CloudHealth, go to Setup > Admin > User Groups and open the user group the user should be assigned to. Check that the SSO key/value section under the Details tab matches the expected value.
For example,UserGroup Ahas the following SSO key and SSO value pair in Tanzu CloudHealth: Department - Finance. Within the IdP, open the user’s account and confirm that the value found under the Department field matches the value in the Details tab for the user group.
Users can also be manually assigned to user groups or automatically assigned through SSO. You can manually assign a user when the correct values are not being passed from the IdP. To manually assign a user, go to Setup > Admin > User Groups in Tanzu CloudHealth and open the user group the user should be assigned to. From the Members tab, select Add members. The next time the user signs in, they are assigned to the user group, given a role document, and access to FlexOrgs as defined in the user group’s Assignment tab.
Error Message: Your user has not been assigned an organization
Potential Reasons
- A mismatched value between the identity provider and Tanzu CloudHealth.
- The User-Organization Association setting has not been configured under Setup > Admin > Single Sign On.
How to Resolve It
When the User-Organization Association setting is disabled, the identity provider is expected to pass a value in the Organization attribute that matches the IdP name of an Organization found in Tanzu CloudHealth under Setup > Admin > Organizations. Ensure that the values match on both the IdP and Tanzu CloudHealth. If the attribute has not been configured, enable this setting so new users are added to the Default Organization. You can then add and remove users as needed.
Error Message: User Cannot Sign In
Potential Reasons
If your user previously used the same email address with a different tenant in Tanzu CloudHealth, they may be unable to sign in. User records within Tanzu CloudHealth remain even after removing a user from an SSO configuration or tenant.
How to Resolve It
Contact Tanzu CloudHealth Support to confirm that a duplicate user record exists, and archive the duplicate so the user can access the new tenant.
