Troubleshooting SSO Login Issues
Administrators can use the HTTPS service logs to diagnose SSO login issues. In the BUI, navigate to the HTTPS service, then select Logs to view the httpd log.
SSO users might not have administrative privileges. If SSO login fails, contact a system administrator and provide a support bundle for diagnostics.
Time Synchronization
Time synchronization between the appliance and the configured Identity Provider (IdP) is required for SSO authentication. If the appliance and IdP clocks are not synchronized, SSO login can fail because SAML assertions are time-sensitive. The following table describes common time-related SSO login issues.
| Issue | User Experience | Log Message or Error | Corrective Action |
|---|---|---|---|
|
Appliance time is ahead of the IdP time |
The user is redirected to the native error page. |
SSO login failed likely due to a configuration issue. Contact the server administrator. More information about this error may be available in the HTTPS service logs. |
Synchronize the time between the appliance and the configured IdP. |
|
Appliance time is behind the IdP time |
The user is silently redirected back to the login page. |
The HTTPS service log displays a message similar to: Not before in Condition ... is in the future |
Synchronize the time between the appliance and the configured IdP. |
To prevent time-related SSO failures, configure the appliance and IdP to use a reliable time source, such as NTP.