Skip to main content
SSO authentication
Last update:

SSO authentication

First authentication

Once invited to the account, the federated user will receive an email with a link to authorize by SSO and federation ID.

  1. In the email, click Sign in by SSO.
  2. Enter the federation ID.
  3. Optional: to avoid entering the federation ID each time you log in, check the Save federation checkbox.
  4. Click Sign In.
  5. You will be redirected to the authorization page at the credential provider. After authorization, you will be returned to the Control Panel login page.
  6. Enter full name.
  7. Click Sign In.

Authentication at every login

  1. In the dashboard on the login page, click Sign in with SSO.
  2. Enter the federation ID or select a saved federation. The federation ID can be seen in the invitation letter or requested from the User Administrator.
  3. Optional: to avoid entering a new federation ID each time you log in, check the Save federation checkbox.
  4. Click Sign In. You will be redirected to the credential provider's authorization page.
  5. Authorize with the credentialing vendor.

Authentication errors

If federation has not been configured correctly, errors may occur when authenticating a federated user. Error Groups:

  • SAML001 — SAML099 — federation configuration errors on the Selectel side;
  • SAML100 — SAML199 — validation errors on the credential provider side (SAML Response);
  • SAML200 — SAML299 — other errors.
ErrorReasonDecision
SAML001 — SAML099 — configuration errors on Selectel side
SAML001: saml_idp_is_not_configuredSAML-compliant IdP has not been configured on the Selectel sideCheck the federation setting on the Selectel side
SAML002: saml_idp_certs_not_configuredThe federation in Selectel does not have a certificateFor federation, add a certificate issued from a credential provider
SAML100 — SAML199 — SAML Response validation errors
SAML100: saml_response_invalid_request_id

Incorrect SAML request identifier. Possible causes:

  • repeated authentication attempt within a single request (SAML Response);
  • the time allotted for user authentication has expired — after going to the authentication page, it took 10 minutes or more for the user to enter credentials
Go to the authentication page from the Selectel control panel and authorize again
SAML101: saml_response_invalid_destinationThe Destination parameter in SAML Response is set incorrectly

Expose the correct URL for SAML Assertion Consumer Service on the credential provider side:

SAML102: saml_response_invalid_in_response_toSAML Response was created for an authentication request with a different identifierGo to the authentication page from the Selectel control panel and authorize again
SAML103: saml_response_invalid_issuerWhen creating a federation in Selectel, an incorrect value of  the IdP Issuer field is specified In the federation settings in Selectel, set the correct value in the IdP Issuer field
SAML104: saml_response_invalid_signature

The signature of the received SAML Response is set incorrectly. Possible causes:

  • the credential provider returned an incorrect SAML Response. You can check if the SAML Response is correct using third-party utilities (e.g., Onelogin);
  • an invalid certificate has been added to Selectel for the federation
SAML105: saml_response_subject_not_foundThe Subject section is missing from the received SAML ResponseConfigure federation on the credential provider side so that the Subject section is enabled in SAML Response
SAML106: saml_response_name_id_not_foundNameID is not present in the received SAML Response

Configure federation on the credential provider side so that the SAML Response includes the NameID parameter:

SAML107: saml_response_user_not_foundUser does not exist in SelectelAdd a federated user.
If a federated user is added, make sure that the value of the field ExternalID field of the created federated user matches the user ID on the credential provider side.
SAML108: saml_response_invalid_assertion_xml

The SAML Response format is incorrect. You can check SAML Response using third-party utilities (e.g. Onelogin)

SAML109: saml_response_invalid_assertionIncorrect SAML Response

Verify the federation configuration on the credential provider side. You can check SAML Response using third-party utilities (for example, Onelogin)

SAML200 — SAML299 — other errors
SAML200: saml_internal_errorRequires clarificationCreate a ticket support
SAML201: saml_malformed_requestIncorrect request parameters from credential provider to Selectel after authentication on the provider sideVerify the federation configuration on the credential provider side