After setting up Split SSO integration with a SAML Provider (like OKTA, GSuite, etc.), when a user tries to login, getting 403 HTTP error, and page go back to Split login page.
There are multiple root causes:
- In SAML Provider setup or configuration page, "ACS URL" field does not match "Entity ID" field.
- "Signed Response" box is checked for GSuite.
- User is trying to login from the Split Login page, not SAML
- New user has an existing Split Invite which will collide with the JIT SMAL feature that allows creating user with Just-In-Time Provisioning
- Make sure the "ACS URL" field is identical to "Entity ID" field. As shown in OKTA example below
2. Make sure the "Signed Response" is unchecked in GSuite
3. Always use your SAML page to login to Split app, you can also use the login URL from the Administrator site, Security page
4. Go to the Split Administrator page, click on Users tab, verify if the user show up under "pending" Status Column, if the record does exist, click on "revoke invite" to delete the invitation.