After setting up Split SSO integration with a SAML Provider (like OKTA, GSuite, etc.), when a user tries to login, getting 403 HTTP error, and page go back to Split login page.
There are multiple root causes:
- In SAML Provider setup or configuration page, "ACS URL" field does not match "Entity ID" field.
- "Signed Response" box is checked for GSuite.
- There are multiple Certificates used in IdP Metadata in GSuite.
- User is trying to login from the Split Login page, not SAML
- New user has an existing Split Invite which will collide with the JIT SAML feature that allows creating user with Just-In-Time Provisioning
- The SSO Provider requires the SAML Response to be signed, but this configuration option for Split app within the SSO server is not enabled.
- Make sure the "ACS URL" field is identical to "Entity ID" field. As shown in OKTA example below
2. Make sure the "Signed Response" is unchecked in GSuite
3. Make sure to use only one Certificate in GSuite for the IdP Metadata.
4. Always use your SAML page to login to Split app, you can also use the login URL from the Administrator site, Security page
5. Go to the Split Administrator page, click on Users tab, verify if the user show up under "pending" Status Column, if the record does exist, click on "revoke invite" to delete the invitation.
6. Confirm with the SSO Admin if the SSO provider requires signing SAML Response, and make sure the option is enabled for Split app configuration in the SSO provider server.
For Azure SSO, make sure to select Sign both response and assertion