Troubleshooting V‑Spark SSO
Configuring V‑Spark SSO for use with certain IDPs may lead to special configuration requirements as described in the following sections.
Global IDP Logout with Okta
When V‑Spark is configured for use with Okta, users may be logged out of the entire Okta system when they log out of V‑Spark. In this case, the global logout may be avoided by specifying an incorrect URL for the end session endpoint. This requires the discovery endpoint to be disabled and for individual endpoints to be specified manually. To implement this workaround, use the following procedure:
Missing Email Address Error with Azure Active Directory
Users may encounter a V‑Spark error that says SSO verification failed because the email address is missing from the credentials returned from the IDP, even though the
email
field has been configured for the IDP client application scope. This error happens because some IDPs such as Azure Active Directory may not include the
email
field as a supported claim by default. For more information, refer to the external Active Directory documentation.
In this case, the
email
field must be added manually to the
claims_supported
list in the IDP's client application configuration. Otherwise, SSO authentication fails and V‑Spark logs an event in
/var/log/vspark/server.log
.
When configuring the IDP to communicate with V‑Spark, the
openid
,
profile
, and
email
fields must be included in the IDP's
scopes_supported
list.
The
email
field must also be included in the
claims_supported
list. In addition, the
sub
,
iss
,
aud
,
exp
,
iat
, and
at_hash
claims must be included in the
claims_supported
list.
To confirm that the lists contain the required elements, use the following procedure: