I’m trying to set up my SSO connection with Chartbeat and my Identity Provider, but I’m running into an error. What’s wrong?
The setup within each Identity Provider varies, but generally, we’d advise checking on the following elements within each system.
Within your Identity Provider:
- Ensure that your Attribute Statements are configured properly, based on documentation provided either by Chartbeat or your IDP. (For some providers, capitalization matters, so writing Email instead of email may cause problems.)
- Ensure that you’re not attempting to log into Chartbeat via IDP-initiated sign-on flow, likely via a portal icon. Please use your IDP settings to disable that setting (if needed), as Chartbeat does not support IDP-initiated sign on flows.
- Double check what value you’re setting as the Connection Name for the identifier field (in OKTA this is called Audience Restriction) within your particular IDP, which will look like urn:auth0:chartbeat:<CONNECTION_NAME>. That same connection name needs to be used as the Connection Name when entering information into Chartbeat; a mismatch in connection names will cause problems.
- As mentioned above, confirm that the Connection Name entered into Chartbeat matches the Connection Name entered as part of the application information in your IDP.
- Ensure that you’ve entered the correct URL into the SAML 2.0 Endpoint (HTTP) field. It should be a URL provided by your IDP. (If the URL you’ve entered there starts with https://chartbeat.auth0.com, you have an incorrect URL and will need to go into your IDP to grab the proper URL.)
I tried to get to Chartbeat through the app portal in OKTA/OneLogin/etc. and it gave me the following error page. What’s wrong?
This error screen typically indicates that you’re trying to sign in using an Identity Provider-initiated sign in flow. Chartbeat only supports Service Provider-initiated flows. This means we support SSO login flows that initiate from Chartbeat itself, not your identity system’s portal.
We recommend when clients set up the Chartbeat app in their identity system that they do not show it in their app portals for this reason. If they do, this is the error screen users will see since we cannot process their sign-in request from Auth0 (our SSO vendor).
This screen can also mean that the sign in flow has succeeded in going from Chartbeat to the IDP and failed in the return to Chartbeat. Check the IDP setting and verify it points to the proper entity ID which should be of the form "urn:auth0:chartbeat:<CONNECTION_NAME>"
For users to sign in using SSO, they must have access to Chartbeat through their identity provider. If a user has not been given access in their IDP when they attempt to sign in to Chartbeat they will receive the following error screen. We cannot do anything about this for the user. They need to reach out to their internal help desk or service admin so they can be given access through their identity service.
To sign in to a current Chartbeat account using SSO, the user must sign in to their identity provider using the email associated with their Chartbeat account. If these emails are not aligned, the user should change the email associated with their Chartbeat account so that it is the same as their IDP email. They can do this via the profile page in Chartbeat Publishing.
If a user loses their password for their identity provider, they will need to contact the support team or a service administrator at their company to have them reset their password. Once a user starts signing in to Chartbeat through a third-party identity service, we are unable to help that user with password issues.