Attempted Login to Engine Fails With "Sorry you can't access saml-sso... because you are not assigned this app in Okta" (KBA5999)
KBA
KBA# 5999
Issue
All attempts to access the Delphix Engine web interface fail with a redirect to delphix.okta.com, and a message similar to the following:
Sorry, you can't access saml-sso-<engine name>-<some alphanumeric string> because you are not assigned this app in Okta.
Prerequisites
The Engine has previously been registered in Central Management
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0 5.3
5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
Resolution
This issue occurs when an Engine is deleted from Central Management, but was not Disconnected from the Engine-side.
Once an Engine is configured in Central Management, all Engine authentication is handled by Central Management and relayed through Delphix IdP. When the Engine is removed from Central Management, the references from Delphix IdP are deleted, but the deletion does not affect any state change on the Engine.
Attempting to re-add the Engine to Central Management also will be insufficient to resolve.
To ultimately resolve this issue, the Engine must be "disconnected" from Central Management using the following procedure:
- Access the Delphix Connect Agent directly via https://<engine address>/agent.
- Click the Disconnect Engine hyperlink, this will remove the Central Management configuration and allow SSO to disable (or will automatically disable SSO).
As per our documentation at:
https://docs.delphix.com/cm/removing-engines
It is also recommended that the Engine be disconnected via System Setup first, then deleted from Central Management.
Troubleshooting
Attempts to work around the issue by disabling SSO manually via sysadmin will fail with a message indicating the Engine is connected to Delphix Central Management:
DelphixEngine> /service sso DelphixEngine service sso> update DelphixEngine service sso update *> set enabled=false DelphixEngine service sso update *> commit Error: Cannot modify SAML/SSO configuration as the engine is connected to Delphix Central Management. Action: Use Delphix Central Management to manage authentication.
Related Articles
The following articles may provide more information or related information to this article: