Connect AI uses Auth0 as its managed identity broker. Any step below that refers to the Auth0 tenant, domain, plan, or Rules and Actions is configured by CData on the broker side and is not something you set up yourself. If one of those applies to your issue, contact CData Support. The remaining steps are configured in your own identity provider.
Frequently Asked Questions
Is IdP-initiated login supported?
Is IdP-initiated login supported?
Both SP-initiated and IdP-initiated SAML flows work. For IdP-initiated login to succeed, the ACS URL must carry the connection name and your IdP must reference the matching SP Entity ID.
Can I limit who is able to log in?
Can I limit who is able to log in?
Yes. You control this on your side by gating on group membership at the IdP. As a second layer, claims can be passed through and evaluated in Auth0 using Rules or Actions, but that part is configured by CData on the broker side; contact CData Support if you need it.
Common Errors
No NameID or email is found in the assertion.
No NameID or email is found in the assertion.
- Verify that the SAML assertion includes a NameID and that it resolves to the user’s email address.
- Inspect the raw SAML response with a browser tool such as SAML-tracer to see what the IdP actually sends.
Certificate or signature is rejected.
Certificate or signature is rejected.
Make sure the signing certificate was exported in PEM format, including the surrounding header and footer lines:
Login redirect or callback does not complete.
Login redirect or callback does not complete.
The ACS URL set in your IdP has to match the callback URL exactly. It follows this pattern, where the tenant and connection name are the values CData provides when SSO is enabled for your account:
https://<AUTH0-TENANT>.auth0.com/login/callback?connection=<CONNECTION_NAME>If you do not have the exact values, contact CData Support.