Ryan
07/12/2022, 12:55 PMThere was an error with single sign-on. Please contact your Fleet administrator.
The journalctl
logs show:
fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"
Kathy Satterlee
07/12/2022, 2:16 PMEntity ID
set up in Fleet doesn't exactly match with the one in your identity provider comfiguration.Ryan
07/12/2022, 3:11 PMKathy Satterlee
07/12/2022, 3:43 PMAudience URI
.
https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/#create-your-integrationRyan
07/12/2022, 4:15 PM<md:EntityDescriptor entityID="bla" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
attribute, and the value of entityID there matches Identity Provider Issuer
fleet
, should that be set to something else?Kathy Satterlee
07/12/2022, 4:59 PMRyan
07/12/2022, 5:00 PMKathy Satterlee
07/12/2022, 5:01 PMRyan
07/12/2022, 5:01 PMKathy Satterlee
07/12/2022, 5:08 PMhave you created the app on the Okta side yet? Assuming that it's a SAML app, your entity ID is usually in the PDF that Okta provides in the sign on tab.
Ryan
07/13/2022, 8:44 AMKathy Satterlee
07/13/2022, 2:04 PM