Hi all, does anyone have any experiencing with troubleshooting the SAML integration for SSO in Fleet? We’re getting the following error:

There was an error with single sign-on. Please contact your Fleet administrator.

The

journalctl

logs show:

fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"

Hi, @Ryan! The most likely culprit is that the

Entity ID

set up in Fleet doesn't exactly match with the one in your identity provider comfiguration.

Thanks @Kathy Satterlee I’ll take a look to see what ours is set to.

It looks like Okta might call that the

Audience URI

. https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/#create-your-integration

Ok thanks, lemme see what I’ve done 😄

I don't have any personal experience with Okta, so I can't answer that one for you. Let me see what I can hunt down.

Ok no worries 🙂 It’s a bit tricky given no one appears to be using the same terminology for the fields, looking at the docs for various SAML providers 😄

So much about tech is like the Wild West.

I think I’ll skip for now especially given you don’t support user provisioning yet anyway, you still have to go and manually invite a user, even to use SSO… Thanks for your help so far though! • https://github.com/fleetdm/fleet/issues/2008 • https://github.com/fleetdm/fleet/issues/239

I did find this on the Okta support forum:

have you created the app on the Okta side yet? Assuming that it's a SAML app, your entity ID is usually in the PDF that Okta provides in the sign on tab.

Hi, I’ve managed to get it to work in the end, but I think the lack of account provisioning somewhat diminishes the usefulness 😄 Thanks for your help though! I’ll keep an eye on those two tickets to follow any progress, and check back in the future.

I'm glad you got it running for now!