Troubleshooting & “What Can Go Wrong” Appendix

Common Issues and How to Diagnose Them

User is not redirected to SSO

Likely causes

• auth_mode = LOCAL_ONLY

• No matching SSO configuration

• Email missing or mismatched

Check

• User profile (auth_mode, email)

• Routing rules

• SSO Event Log → stage ROUTING

User redirected to wrong IdP

Likely causes

• Ambiguous routing rules

• Overlapping email domain discovery

Behavior

• Login is blocked (by design)

Fix

• Make routing deterministic

• Reduce overlapping SSO configs

First SSO login fails

Likely causes

• Assertion validation failure

• Linkage collision

• Email uniqueness conflict

Check

• SSO Event Log:

  • ASSERTION_VALIDATION

  • BINDING

  • JIT_PROVISION

Duplicate users created

Should not happen

• Durable (issuer, subject) uniqueness blocks this.

If suspected

• Check audit trail for JIT provisioning

• Check runtime log for linkage collisions

User locked out after enforcement

Cause

• SSO_REQUIRED enabled before first successful SSO login

Recovery

• Temporarily set auth_mode = LOCAL_ONLY

• Have user complete SSO login

• Re-enable SSO_REQUIRED

User removed from IdP but still visible

Expected

• SCIM de-provisioning disables users; does not delete them.

Behavior

• User cannot log in

• Account remains auditable and reversible

SCIM request disables no one

Expected when

• User never logged into Operations App

• User has no SSO linkage

• scim_deprovisioning_enabled = false

Billing concerns

• Operations App does not auto-create users.

• SCIM disables users but does not delete them.

• Billing logic is external and unaffected by this feature set.

Key Debug Tools