How to troubleshoot SSO integrations

View SSO configuration as seen by the Identity Provider (IdP).

Several fields must match between client-side configuration and Mindful Callback's configuration for SSO to function properly. To verify what is being sent to Mindful Callback during an SSO login, follow the steps below:

  1. Open the Network tab in your browser's development tools (keep this open in the browser attempting login).
  2. Attempt to log in via SSO.
  3. After being redirected to Mindful Callback, inspect the idpresponse network request, then open the Payload tab of the request.
    IDP response example
  4. Copy and paste the value of the SAMLResponse parameter into a Base64 decoder/inflater, such as samltool.com/decode.php.
    This will provide unformatted XML describing the response from the IdP.
  5. Copy and paste the decoded/inflated XML into a text editor or other app capable of formatting XML, then use the XML auto-indent feature to view the response cleanly.
  6. Review the SAML attributes in the XML to determine the provider claims, such as the email address and group, being submitted in the SSO request.
    saml attribute examples
  7. If any values in the provider claim do not match what is expected, work with the Mindful Callback team to ensure that the values are configured properly on both sides.
When all provider claims match between client-side and Mindful Callback configuration, the SSO login should function as expected.