Skip to main content
Delphix

Attempted Login to Engine Fails With "Sorry you can't access saml-sso... because you are not assigned this app in Okta" (KBA5999)

 

KBA

KBA# 5999

 

Issue

All attempts to access the Delphix Engine web interface fail with a redirect to delphix.okta.com, and a message similar to the following:

Sorry, you can't access saml-sso-<engine name>-<some alphanumeric string> because you are not assigned this app in Okta.

clipboard_e10d84eb6ee5e287695103203ab9458a6.png

Prerequisites

The Engine has previously been registered in Central Management

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0

5.3

5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

Resolution

This issue occurs when an Engine is deleted from Central Management, but was not Disconnected from the Engine-side.

Once an Engine is configured in Central Management, all Engine authentication is handled by Central Management and relayed through Delphix IdP.  When the Engine is removed from Central Management, the references from Delphix IdP are deleted, but the deletion does not affect any state change on the Engine.

Attempting to re-add the Engine to Central Management also will be insufficient to resolve.

To ultimately resolve this issue, the Engine must be "disconnected" from Central Management using the following procedure:

  1. Access the Delphix Connect Agent directly via https://<engine address>/agent
  2. Click the Disconnect Engine hyperlink, this will remove the Central Management configuration and allow SSO to disable (or will automatically disable SSO).

clipboard_e5524ec28cfef5b52b40f7c69d116d023.png

As per our documentation at:

https://docs.delphix.com/cm/removing-engines

It is also recommended that the Engine be disconnected via System Setup first, then deleted from Central Management. 


Troubleshooting

Attempts to work around the issue by disabling SSO manually via sysadmin will fail with a message indicating the Engine is connected to Delphix Central Management:

DelphixEngine> /service sso
DelphixEngine service sso> update
DelphixEngine service sso update *> set enabled=false
DelphixEngine service sso update *> commit
   Error: Cannot modify SAML/SSO configuration as the engine is connected to Delphix Central
          Management.
  Action: Use Delphix Central Management to manage authentication.

 


Related Articles

The following articles may provide more information or related information to this article: