Connect AI uses Auth0 as its managed identity broker. You run ADFS, so the claim rules, certificates, and relying party trust are configured on your side. Steps that refer to the Auth0 tenant, the connection’s federation metadata, or Rules and Actions are configured by CData on the broker side. If one applies to your issue, contact CData Support.
Frequently Asked Questions
Which SAML NameID format should we use?
Which SAML NameID format should we use?
EmailAddress is recommended and the most widely used. Persistent and Unspecified are also accepted by the broker, but Email keeps mapping straightforward.
Can I limit which users can log in?
Can I limit which users can log in?
Yes. On your side, grant access only to the intended users or groups in the relying party trust within ADFS. A second layer, filtering with Auth0 Rules or Actions, is configured by CData on the broker side; contact CData Support if you need it.
Should we provide a metadata file or a metadata URL?
Should we provide a metadata file or a metadata URL?
A federation metadata endpoint is preferred over a standalone file. When the endpoint (
/FederationMetadata/2007-06/FederationMetadata.xml) is reachable, the broker can pick up configuration changes automatically, such as a new token-signing certificate added ahead of a rollover. CData enters this on the broker side, so make sure the endpoint is enabled and reachable in ADFS, then share its location when SSO is provisioned.Common Errors
The test connection fails with an invalid signature.
The test connection fails with an invalid signature.
The certificate registered with the broker has to match your ADFS token-signing certificate. Confirm it is the current signing certificate and that the value carries no stray characters and includes the surrounding
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Because the certificate is held on the broker side, contact CData Support if it needs to be updated, for example after a certificate rollover.The ADFS sign-in page appears but the redirect fails.
The ADFS sign-in page appears but the redirect fails.
The ACS URL set in ADFS has to match the callback URL exactly. It follows this pattern, where the tenant and connection name are the values CData provides when SSO is enabled for your account:
https://<AUTH0-TENANT>.auth0.com/login/callback?connection=<CONNECTION_NAME>If you do not have the exact values, contact CData Support.No NameID or email is found in the assertion.
No NameID or email is found in the assertion.
- Review your ADFS claim rules and make sure the Name ID is mapped to the user’s email address.
- Inspect the assertion with a browser tool such as SAML-tracer to confirm what ADFS is actually sending.