Problem: The SAML flow between Orchestra and the identity provider isn't working.
Solution:
1. First, enable debug logs in Orchestra for SAML. That is done by adding DEBUG to the following lines in orchestra/system/conf/logback.xml. No restart is required.
A possible error in the log could be like
2018-12-18 15:18:45.433 [default task-25] WARN c.q.q.c.a.s.saml.SamlCallbackFilter - Unable to log in using SAML integration. error: Assertion audience [okta2] does not match SP configuration okta
2018-12-18 15:19:44.503 [default task-43] ERROR o.p.s.s.i.SAML2DefaultResponseValidator - Current assertion validation failed, continue with the next one
org.pac4j.saml.exceptions.SAMLAssertionAudienceException: Assertion audience [okta2] does not match SP configuration okta
As can be seen, the okta2 does not match Orchestra configuration of Okta (the selected identity provider in this case), i.e. Okta is incorrectly configured.
2. Another way to debug would be to open the browser developer tools (ctrl+shift I) on Chrome. Open the network tab and enable preserve logs. Then try to access Orchestra again. The log should look like this.
Here you can see that both the okta.com and my local domain is involved and that Orchestra adds an error.login.failed error message. Check the log file to see what went wrong.
If you cannot solve the problem, please contact support.
