Description
- Users who previously logged in successfully to Katalyst suddenly cannot log in.
- The environment uses SSO or an external identity provider (IdP).
- Recent changes may include:
- IdP metadata updates, new certificates, or URL changes.
- New MFA requirements or client app registration changes.
- Error messages may be generic (login failed) or reference invalid tokens/claims.
Solution
- Confirm with the identity/security team what changed in the IdP configuration:
- New SSO endpoints or realm/tenant changes.
- New signing/encryption certificates.
- Modified client ID/secret, redirect URIs, or scopes.
- Update Katalyst configuration accordingly:
- Adjust IdP URLs (authorization, token, JWKS).
- Update client ID/secret and allowed redirect URIs.
- Import or trust new IdP certificates if applicable.
- Verify token content:
- Ensure required claims (e.g., username, email, groups) are present and mapped correctly in Katalyst.
- Check token lifetimes and refresh token behavior, especially for long sessions.
- After adjustments:
- Restart Katalyst if needed.
- Test login with one or two pilot users, then roll out broadly.
- Keep a change log linking IdP changes to the corresponding Katalyst configuration updates for future reference.
Comments
0 comments
Article is closed for comments.