https://descope.com logo
Join Slack
Powered by
i am having issues with SSO (and google social log...
# ask-a-descoper
i
i am having issues with SSO (and google social login too), and seeking some help. 1. I am doing a small POC with a local React application, trying to hook it to Descope and use SSO and social logins. 2. I am taking the simplest approach of an "App Client to Descope with Flows" (as recommended here https://docs.descope.com/build/) 3. Okta is my IdP 4. Scenario 1: Trying to log-in to my app using the Okta portal. a. I get redirected to my app (running on localhost), but user is not authenticated, and my app doesn't load. b. The error i'm getting in the devtools console shows me the following error (see screenshot attached): "executionId must not be empty" c. Viewing the Okta event log for the application I can see it being successful 5. Scenario 2: Trying to log-in to my app starting from the browser, by navigating to http://localhost:<port> a. clicking the SSO button in the hosted Descope Login page, i'm getting an error in the UI ("SSO not supported for domain") b. The devtools console shows me the following errors (see also screenshot attached): i. SSO not supported for domain Error ii. [E011001]: Request is malformed Received tenant from query param, but it does not match any pattern Error 6. Google Social login a. Used to work just fine last time i checked. b. Today i noticed it stopped working as well, clicking it in the login dialog, i'm getting the following errors in the console (see screenshot atached): i. Failed to sign up or in Error ii. [E061003]: Illegal redirect URL provided Failed creating OAuth redirect URI Error Thanks @quiet-bird-99759 who suggested I post here
đź‘€ 2
âś… 1
a
Hi @important-river-90900! Thanks for posting here. Scenario 1: This is IdP-Initiated, it is not supported yet, but we already implemented this feature and it should be ready next week in production, including docs on how to configure it. Scenario 2: This is SP-Initiated, I think that you are missing the tenant domain configuration. So we can identify the domain related to this SSO configuration and redirect to the correct IdP, see here: https://docs.descope.com/customize/auth/sso/#tenant-domain
i
Thanks @ancient-motorcycle-2291 1. thanks for the information, i wasn't aware, will keep an eye on this next week coming to prod. are you planning to communicate it to the dev community somehow? 2. re scenario 2, my tenant domain is defined as you can see. I hope i defined it correctly. if i understood this correctly, this is the email domain for the signed in users? so if i define 
<http://acme.com|acme.com>
i can log in with a user 
<mailto:nir@acme.com|nir@acme.com>
?
a
1. Yes we will communicate this, please check this channel #C04USJVE5GW, @gifted-florist-65280 @breezy-evening-56597 FYI 2. And you are using email with that domain right? a. Also, how did you configure the Okta side? With the SP metadata url or by inserting the 3 values?
👌🏼 1
đź‘Ś 1
Regarding the OAuth issue. Can you please write what you have in the Approved Domains? You need to make sure to put there localhost as well if you set something else.
i
1. cool 2. yes. using an email AFAIK. I configured it with the SP Metadata URL
re OAuth - you are correct. I removed localhost today (to see if it fixes the SSO), but what I didn't realize that i need it for the OAuth. So adding localhost back, made it work again
đź‘Ť 1
a
Ok, so I understand the problem now, there is an issue with access the SP Metadata URL when having a custom tenant ID, we just fixed this, and will deploy very soon. For now, you can configure by providing the 3 values to Okta OR don’t use custom tenant ID until the fix.
Cool regarding the OAuth
i
ok. what do you mean by "don't use custom tenant ID until the fix" ?
a
So you can leave the “Tenant ID” field blank when creating new tenant. The problem is when having there a value + using SP Metadata URL in the IdP.
i
cool i'll give it a try
a
So 3 options: 1. Wait for the fix - hopefully today 2. Create new tenant without custom “Tenant ID” (for now until the fix) 3. Configure the SP part at the IdP without metadata url, and provide the 3 values manually (for now until the fix)
i
re (3) - confusing. i'm configuring the SP (descope) part without the Metadata URL (from Okta), but instead using the data as it shows in Okta (sign-on URL, issuer + certificate). if that's what you meant, then ok, but it didn't work
will try the 2nd approach. will delete the current tenant and create a new one
a
ok, let me know
i
2nd approach is not working still
1. did not specify the optional tenant id. 2. filled in the following config for SSO (taken from Okta) Login URL -> sign-on URL (okta) Entity ID -> issue (okta) certificate -> certificate (okta)
Zoom meeting notes 1. Regarding SSO initiated from the app (SP) - One needs to provide an e-mail input in the Login screen, so the SSO module will be able to pick up the user identifier (email) and map it to the relevant tenant (based on the domain specified) 2. Adding a new Tenant - leave the Tenant ID (optional) blank. a. This will have a follow up with the Descope team to be fixed [ActionItem] 3. Regarding SSO initiated form the IdP (Okta in my case) - this flow is planned to be supported soon by the Descope team (O(1-week)) [ActionItem] 4. Thanks for the really great(!) responsiveness and will to help clarify and make things work so quickly @quiet-bird-99759 @ancient-motorcycle-2291 @quiet-area-427
🥳 1
🫶🏼 1
Re (3) - upgrading the 
@descope/react-sdk
to version 
1.0.1
solves it! and you can login from the IdP. in `package.json`:
Copy code
"dependencies": {
...
    "@descope/react-sdk": "1.0.1",
...
}
make sure to add the condition of IdP login in the flow before hitting the Welcome Login screen (see screenshot attached) Thanks a lot @quiet-area-427 for reaching out again
đź‘Ť 1
đź‘€ 1
g
thanks @important-river-90900 for the great feedback! just so you know - we opened an issue to give a more indicative error in case the input isn’t provided for SSO authentication, and we’ll also see how we can give a better indication of it when actually designing the screen 🙏🏼
đź‘Ť 1
Open in Slack
PreviousNext
Powered by