Limitations and log locations
There are some limitations when you configure SSO on an Access Appliance cluster.
Identity provider cannot be edited. It can be removed and added again.
Single logout is not implemented. If SAML users log out of the application, and try to login with SSO again, the user is not asked for their login credentials unless the SSO session has expired. This applies to any other application using the same IDP.
If after identity provider configuration, External certificate authority (ECA) is configured, then login with SSO does not work until the identity provider is updated with the latest service provider metadata xml from the Access Appliance. This can be done by downloading the service provider metadata xml from . This metadata needs to be updated on the IDP side.
AD/IDP server date, time, and time zone should be the same as the Access Appliance cluster. Else, the SSO login fails.
The logs can be found by logging into the Access Appliance CLISH, elevating to root and accessing the logs at:
/log/VRTSnas/isagui_webserver.log/log/VRTSnas/ isagui_sso_config.log