Connect AI uses Auth0 as its managed identity broker. Any step that refers to the Auth0 tenant, domain, plan, or Rules and Actions is configured by CData on the broker side and is not something you set up yourself. If one applies to your issue, contact CData Support. The remaining steps are configured in PingFederate.
Frequently Asked Questions
Can I restrict who is allowed to sign in?
Can I restrict who is allowed to sign in?
Yes. On your side, constrain access in PingFederate using access control policies or attribute filters keyed to roles or group membership. Additional control can be layered on in Auth0 with Rules or Actions, but that part is configured by CData on the broker side; contact CData Support if you need it.
Common Errors
No NameID or email is provided in the assertion.
No NameID or email is provided in the assertion.
- Set the Subject Name Format to EmailAddress.
- Make sure the email claim exists in the assertion and is mapped to the correct attribute.
The certificate or signature is rejected.
The certificate or signature is rejected.
The certificate registered with the broker has to be PingFederate’s signing certificate. Confirm it is the current signing certificate and that it was provided in full, including the header and footer lines:Because the certificate is held on the broker side, contact CData Support if it needs to be updated, for example after a certificate rollover.
Sign-in completes but the redirect goes to the wrong place.
Sign-in completes but the redirect goes to the wrong place.
Confirm that the ACS URL set in PingFederate matches the callback URL exactly. It follows this pattern, where the tenant and connection name are the values CData provides when SSO is enabled for your account:
https://<YOUR-AUTH0-TENANT>.auth0.com/login/callback?connection=<CONNECTION_NAME>If you do not have the exact values, contact CData Support.