Unable to Reconfigure SSO in PCD UI Using the Same Entity ID

Problem

After disabling SSO in the Platform9 PCD UI, attempting to reconfigure SSO with the same entity ID is not allowed. The UI displays an error "Identity provider already exists" or does not permit using the previous entity ID for SSO setup.

Environment

Private Cloud Director Virtualization - v2025.6 and Higher
Private Cloud Director Kubernetes – v2025.6 and Higher
Self-Hosted Private Cloud Director Virtualization - v2025.6 and Higher
Self-Hosted Private Cloud Director Kubernetes - v2025.6 and Higher
Component - SSO

Cause

Disabling SSO from the PCD UI removes the SSO settings from the Backend service (Consul) but does not delete the Identity Provider (IDP) object from OpenStack. This means the entity ID stays in OpenStack, stopping reuse during reconfiguration.

Diagnostics

To allow SSO to be reconfigured with the same entity ID

Step 1: List existing identity provider:

Command
    
​x
 
$ openstack identity provider list​
+---------------------+---------------------------------------------------------------+
| Field               | Value                                                         |
+---------------------+---------------------------------------------------------------+
| authorization_ttl   | None                                                          |
| description         | None                                                          |
| domain_id           | default                                                       |
| enabled             | True                                                          |
| id                  | [IDP1_VALUE]                                                  || remote_ids          | https://sts......../                                          |
+---------------------+---------------------------------------------------------------+
Copy

Step 2: Verify Existing IDP Configuration:

Use the following commands to check the current IDP state (replace [IDP1_VALUE] with actual identity provider name):

Command
    
 
$ openstack mapping list$ openstack identity provider show <IDP1_VALUE> --fit-width$ openstack federation protocol list --identity-provider <IDP1_VALUE>$ openstack federation protocol show saml2 --identity-provider <IDP1_VALUE>$ openstack group list$ openstack group show <GROUP_ID>
Copy

Run these commands to review and confirm the existing identity provider (IDP) configuration including its details, associated federation protocols, mappings, and any related OpenStack groups. This step ensures that you are deleting the correct identity provider and do not accidentally remove configurations that may be used by other SSO integrations, mappings, or user groups. Proceed with deletion only if you are certain that the information shown matches the identity provider you intend to remove.

Resolution

Delete the stale identity provider using the below Openstack command:

Command
    
 
$ openstack identity provider delete <IDP1_VALUE>
Copy

Validation

After deleting the identity provider, refresh the PCD UI and reconfigure SSO with the desired entity ID.

Additional Information

A potential fix is planed for the August release and is tracked under PCD-3227. If these steps prove insufficient to resolve the issue, reach out to the Platform9 Support Team for additional assistance.

Last updated on

Was this page helpful?