SAML Identity Provider user log in issues

SAML Identity Provider user log in issues

Description:
This KB article describes several scenarios that could happen when SAML based Identity Provider is used to provide log in requests for the CPM.

Scenario 1
User tries to log in to the CPM when he belongs to cpm_<groupname> group in the identity provider, but the group doesn’t exist in the CPM.

When trying to log in to the CPM, you’ll receive this error message in GUI:


In the cpm_server.log you can find this error message:
ERROR:  login_error(directory_service_utils.py:549)  Login failed (user 'CPMLAB\cpmuser2'). Group 'group22' doesn't exist

Resolution:
To solve this issue - create the corresponding group in the CPM.

Scenario 2
When a user belongs to more than one "cpm_" group in the Identity Provider simultaneously.

In the CPM GUI you’ll receive this error message:


In the cpm_server.log you can find this error message:
ERROR:  login_error(directory_service_utils.py:549)  Login failed (user 'CPMLAB\cpmuser3'). The user must be a member of a single IdP group with permission to use CPM

Resolution:
In this case, please check if this user belongs to more than one "cpm_" group in the Identity Provider you use - it’s prohibited to assign a user to more than one group.

Scenario 3
When a user who doesn’t belong to any group tries to log in to the CPM or if an incorrect group membership claim was configured.

In the CPM you’ll receive this error message in GUI:


In the cpm_server.log you can find this error message:
ERROR:  login_error(directory_service_utils.py:549)  Login failed (user 'CPMLAB\cpmuser4'). User not authorized to use CPM. Possible cause - missing or invalid 'group membership claim'

Resolution:
In this case, please check if the user belongs to one of the “cpm_” groups in your Identity Provider or if an incorrect group membership claim was configured.