Connect AI uses Auth0 as its managed identity broker. You configure the SAML app, attribute mappings, and access in the Google Admin console; steps that refer to the Auth0 tenant, the connection’s certificate, or Rules and Actions are configured by CData on the broker side. If one applies to your issue, contact CData Support.
Common Errors
No email or NameID is found in the assertion.
No email or NameID is found in the assertion.
- In Google, set the Name ID to the user’s Primary email.
- Review the attribute mappings so that email and given_name are sent and named as the broker expects.
The certificate is rejected or invalid.
The certificate is rejected or invalid.
Make sure Google’s X.509 certificate was copied in full, including the header and footer lines:Uploading Google’s metadata XML instead, when that option is offered, avoids copy-and-paste mistakes. Because the certificate is held on the broker side, contact CData Support if it needs to be replaced.
Users cannot open the app.
Users cannot open the app.
In the Google Admin console, confirm the SAML app is turned on for the users or organizational units that need access.
The redirect fails after sign-in.
The redirect fails after sign-in.
- Confirm the ACS URL set in Google matches the callback URL exactly. It follows this pattern, where the tenant and connection name are the values CData provides when SSO is enabled:
https://<AUTH0-TENANT>.auth0.com/login/callback?connection=<CONNECTION_NAME> - Check that the Entity ID in Google matches the value the broker expects.