Closed Bug 1641706 Opened 5 years ago Closed 5 years ago

SSO Request for CultureAmp, Mozilla's Engagement Survey Tool

Categories

(Infrastructure & Operations :: SSO: Requests, task)

Product:
Infrastructure & Operations
Component:
SSO: Requests
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: spotter, Assigned: jabba)

Details

Attachments

(4 files)

Screen Shot 2020-06-11 at 5.17.17 PM.png
597.83 KB, image/png
Details
Screen Shot 2020-06-11 at 5.18.18 PM.png
570.74 KB, image/png
Details
Screen Shot 2020-06-11 at 5.18.55 PM.png
1.85 MB, image/png
Details
Screen Shot 2020-06-12 at 4.51.26 PM.png
110.94 KB, image/png
Details

We would like to put CultureAmp behind SSO before we launch our next Engagement Survey on June 22nd.

I scheduled a meeting for Monday to go over this. I think we started setting it up in the past, so it's almost ready to go.

Assignee: nobody → jdow

Awesome. Thank you for jumping so quickly on this and sending the invite. Have a great weekend, and I'll see ya then!

I noticed some new behavior on the CultureAmp sign-in page: there's a "SSO | Use your organization’s single sign on" button now.

When I go there and type in mozilla...

It changes the URL but doesn't sign me in.

I looked at this and experience exactly what you described. It looks to me like it's a bug or misconfiguration on their end. It never even tries to redirect me over to auth0 or anything. Would it be possible to file a support request with Culture Amp to ask about this new behavior and if it's something they can enable for us? It's possible that although SSO is working via our sso.mozilla.com/cultureamp link, that they need to specifically enable it for their mozilla.cultureamp.com link.

It seems it's a bug on their side.

Email/password was taking precedence over SSO. Their engineers are going to take a look at it next week and follow up with me. In the meantime, I asked if they could remove the "Use your organization's single sign on" link, and they aren't able to, as it's not account specific.

At my request, they've disabled email/password, and now the issue is different. After entering the subdomain mozilla, I'm sent to the SSO error screen in the screenshot.

I'm still able to use sso.mozilla.com/cultureamp to log in.

Not sure how helpful it'll be, but they provided this link while troubleshooting to test the SSO configuration which also worked: https://mozilla.cultureamp.com/saml/mozilla

Any clue what could be happening here?

Perfect. This is actually helpful. The callback URL that I had configured is https://mozilla.cultureamp.com/saml/callback/mozilla, however, I see that when I reproduce that Auth0 error message, that down at the bottom, it said the error was because that login screen is taking us to https://identity.cultureamp.com/saml/callback/mozilla instead. Which I'm guessing is a newer SAML endpoint that they are implementing. I was able to whitelist that URL alongside the one we already had, and now it appears that everything is working how it should!

Stellar. It's working for me now, too.

I've passed this along to their team to hopefully cut down on this kind of issue in the future. Thank you for jumping on this and saving the day!

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: