SSO got Disabled Post Management Plane Upgrade

Problem

• SSO appears disabled in the UI after upgrading the PCD management plane, but the backend SSO configuration is functioning correctly.

Environment

• Private Cloud Director - v2025.4 and v2025.6
• Self-Hosted Private Cloud Director - v2025.4 and v2025.6
• SSO

Cause

• The issue happened due to a bug (PCD-2029). After upgrading from the FEB release to the APR release, the "Enable SSO" flag appears disabled in the Enterprise SSO UI section, even though SSO is actually configured and functional (e.g., SAML group details are visible).
• The issue occurs because the signing attribute is not included when creating the SSO config, and fetching it later from Consul fails. As a result, the UI treats the SSO setup as incomplete and displays the "Enable SSO" flag as disabled. The bug is now fixed with v2025.7 release.

Diagnostics

• After upgrading the PCD management plane, navigate to Settings > Enterprise SSO in the user interface. The SSO feature will be disabled following the upgrade.

Workaround

1. Install consul CLI, refer this documentation.
2. Get hagrid deployment configuration.

$ kubectl get deploy/hagrid -o yaml -n <INFRA_REGION_NAMESPACE> > hagrid-deployment.yaml

3. Search inside the hagrid-deployment.yaml file for below variables.

   1. CONSUL_HTTP_ADDR
   2. CONSUL_HTTP_TOKEN
   3. CUSTMOR_ID

4. Export values into current shell session.

export CONSUL_HTTP_ADDR="<CONSUL_HTTP_ADDR_FROM_HAGRID_CONFIG>" 

export CONSUL_HTTP_TOKEN="<CONSUL_HTTP_TOKEN_FROM_HAGRID_CONFIG>" 

export CUSTMOR_ID="<CUSTMOR_ID_FROM_HAGRID_CONFIG>"

5. Once the environment is configured, run the following command to store the signing flag.

$ consul kv put customers/$CUSTOMER_ID/keystone/sso/saml2/IDP1/signing false

Validation

• Navigate to Settings > Enterprise SSO in the user interface. The SSO feature will be enabled.