Troubleshooting V‑Spark SSO
Configuring V‑Spark SSO for use with certain IDPs may lead to special configuration requirements as described in the following sections.
Global IDP Logout with Okta
When V‑Spark is configured for use with Okta, users may be logged out of the entire Okta system when they log out of V‑Spark. In this case, the global logout may be avoided by specifying an incorrect URL for the end session endpoint. This requires the discovery endpoint to be disabled and for individual endpoints to be specified manually. To implement this workaround, use the following procedure:
Okta's discovery endpoint lacks userinfo data
When adding manual endpoints as described in Global IDP Logout with Okta, data obtained from Okta's discovery endpoint may lack information about the userinfo
endpoint. The following endpoint URLs function correctly for a V‑Spark-Okta SSO implementation as of November 2023.
Field name |
Endpoint URL example |
---|---|
issuer |
https://{variable}.okta.com |
introspection_endpoint |
https://{variable}.okta.com/oauth2/v1/introspect |
jwks_uri |
https://{variable}.okta.com/oauth2/v1/keys |
authorization_endpoint |
https://{variable}.okta.com/oauth2/v1/authorize |
token_endpoint |
https://{variable}.okta.com/oauth2/v1/token |
userinfo_endpoint |
https://{variable}.okta.com/oauth2/v1/userinfo |
end_session_endpoint |
https://{V‑Spark}.{company}.com/login |
For the latest information on Okta's endpoint configuration, refer to Okta's OIDC documentation.
Missing Email Address Error with Azure Active Directory
Users may encounter a V‑Spark error that says SSO verification failed because the email address is missing from the credentials returned from the IDP, even though the
email
field has been configured for the IDP client application scope. This error happens because some IDPs such as Azure Active Directory may not include the
email
field as a supported claim by default. For more information, refer to the external Active Directory documentation.
In this case, the
email
field must be added manually to the
claims_supported
list in the IDP's client application configuration. Otherwise, SSO authentication fails and V‑Spark logs an event in
/var/log/vspark/server.log
.
When configuring the IDP to communicate with V‑Spark, the
openid
,
profile
, and
email
fields must be included in the IDP's
scopes_supported
list.
The
email
field must also be included in the
claims_supported
list. In addition, the
sub
,
iss
,
aud
,
exp
,
iat
, and
at_hash
claims must be included in the
claims_supported
list.
To confirm that the lists contain the required elements, use the following procedure: