There are a number of places where you might see temporary or permanent errors when trying set up or to use Single Sign On within SmartSurvey.
Setup Page
On the setup page, there is an option to test the discovery endpoint. If this fails, an error code is displayed which is the HTTP status code of the response.
- 0: An error meant that the attempted connection was not made to the destination server. This might be because there is no public Domain Name Server (DNS) entry for your Identity Provider (IdP), so the lookup failed, it might also be because Cross-Origin Resource Sharing (CORs) does not permit the smartsurvey domain (app.smartsurvey.co.uk) to use your identity provider.
- 401: This means that the endpoint is setup to require authorisation but none was provided. It is not standard for the discovery endpoint to require authorisation and we do not support any mechanism to pass credentials to the discovery endpoint to do this. You will need to disable authorisation on the discovery endpoint.
- 403: This should never be returned but implies that credentials were supplied but do not have permission to access the endpoint. It is possible that this response is hard-coded for some reason in the identity provider application. If this happens, it is most likely that the IdP needs configuration to allow Discovery to be made.
- 404: The host server was correctly looked up with DNS but a request did not then reach a valid endpoint and so the destination server returned "not found (404)". This might be because your system does not use discovery (it should be at a well-known location: www.yourdomain.com/.well-known/openid-configuration). If you cannot access this internally, then you will need to contact your IdP support team to help you set it up. It is also possible that the origin url is incorrect, for example, you might have put www.yourdomain.com where you needed to put accounts.yourdomain.com.
- 500: Internal server error. We were able to call an endpoint but your system generated an error. This is unexpected in normal usage, even if we were not permitted to access the endpoint. This means that there is probably a problem on the IdP. Details about exactly what will usually be found in the IdP server logs for that system.
- 503: This is usually returned by your server when it has been switched off temporarily, e.g. for maintenance, and it should succeed once the server is switched back on.
Other Setup Errors
Other errors that might cause an error to appear if the endpoint cannot be contacted and which will need to be resolved include:
- A firewall might be blocking the call, which will usually drop the packet. This could cause a timeout, or will return some kind of error.
- If you have rate limiting enabled, a 429 might be returned, although we wouldn't expect to call the IdP often enough to see this.
- If the document returned is not correctly formed, you might see an error like "Could not find 'issuer' property in response".
- The issuer in the returned document must match the origin URL.
Errors in Operation
"The system could not obtain user data for the current login..." - this occurs when SmartSurvey attempts to download user information for the person who has just logged in. It does this by attempting to call the userinfo_endpoint specified in your OpenID Connect discovery document. If it cannot contact this endpoint, you will see this error.
Other causes include: You have entered an incorrect client secret into the SSO setup page; The user info endpoint did not return the requested scopes; Your system doesn't support the "code verifier" security mechanism; The discovery endpoint was not available at the point the user data was being queried; The user info endpoint returned an error; The token returned was not valid/not in the correct format.
These are unusual errors but might occur the first time you attempt to use the SSO process if you have not correctly configured your Identity Provider or you have firewalls blocking the necessary endpoints.