Improve user-facing OIDC errors when no role is matched #7436
Comments
|
Unfortunately I am affected by this. Currently I am managing 4 clusters as Leaf and 1 as Main. I rely on regex to match SSO group to roles. (we use SAML) for example group Then in my Leaf role mapping I do this: However, due to the error in this Issue, we are forced to do the following in the main cluster as workaround. We create dummy roles in
This makes manageability of this extremely hard and can get out of hand easily. If someone can point out where the logic happens, so we can contribute to fixing this to allow non matching roles. |
|
Let's fix this, but not change the user facing message. Even if we told the user what the problem was (no matching roles) they can't actually fix it, the administrator has to. Maybe instead let's improve the error message that goes into the audit log and process logs. Update the user facing message to say something like, "Contact your system administrator who can view the full error message in the Audit Log." |
What
What would you like Teleport to do differently? Improve the user-facing OIDC errors if/when an SSO user doesn't match any roles. At present, the displayed error is "Login Unsuccessful" and "unable to process callback".
How
How would you implement this? Display a friendly user-error "Unable to match your account to any roles, contact your Teleport administrator" or even better a configurable error message for this condition. I can see organizations enriching this type of failure with domain-specific details (support e-mail, links to create tickets, etc...)
Why
Why do you need this? It provides some context for the user and the initial support contact.
Workaround
N/A
The text was updated successfully, but these errors were encountered: