# SSO Disabled Post Management Plane Upgrade

## Problem

* SSO appears disabled in the UI after upgrading the PCD management plane, but the backend SSO configuration is functioning correctly.

## Environment

* Private Cloud Director - till v2026.6-159
* Self-Hosted Private Cloud Director - till v2026.6-159
* Component: SSO

## Cause

* After upgrading from the FEB release to the APR release, the **"Enable SSO" flag appears disabled** in the Enterprise SSO UI section, even though SSO is actually configured and functional (e.g., SAML group details are visible).&#x20;
* The issue occurs because the **signing attribute** is not included when creating the SSO config, and fetching it later from Consul fails. As a result, the UI treats the SSO setup as incomplete and displays the **"Enable SSO"** flag as **disabled**. The bug was tracked in PCD-2029 and is now fixed with **v2025.7-47 and above** **releases**.

## Diagnostics

* After upgrading the PCD management plane, navigate to Settings > Enterprise SSO in the user interface. The SSO feature will be disabled following the upgrade.

![](https://uploads.developerhub.io/prod/K9yg/ihk3au0jbp3s50hxswh5zme9ire8zhbjm7nijamwqk0zureg8gnzsl3g9d7649n6.png)

## Workaround

{% hint style="info" %}
For PCD (SaaS) users, the platform9 support team will apply the steps below. Please open a [Support Ticket](https://support.platform9.com/hc/en-us).&#x20;

For Self-Hosted PCD users, perform the steps below from the management plane cluster.
{% endhint %}

1. Install consul CLI, refer this [documentation](https://developer.hashicorp.com/consul/install).
2. Get `hagrid` deployment configuration.

```ruby
$ kubectl get deploy/hagrid -o yaml -n <INFRA_REGION_NAMESPACE> > hagrid-deployment.yaml
```

3. Search inside the `hagrid-deployment.yaml` file for below variables.
   1. `CONSUL_HTTP_ADDR`
   2. `CONSUL_HTTP_TOKEN`
   3. `CUSTMOR_ID`
4. Export values into current shell session.

```ruby
export CONSUL_HTTP_ADDR="<CONSUL_HTTP_ADDR_FROM_HAGRID_CONFIG>" 
export CONSUL_HTTP_TOKEN="<CONSUL_HTTP_TOKEN_FROM_HAGRID_CONFIG>" 
export CUSTMOR_ID="<CUSTMOR_ID_FROM_HAGRID_CONFIG>"
```

5. Once the environment is configured, run the following command to store the signing flag.

```ruby
$ consul kv put customers/$CUSTOMER_ID/keystone/sso/saml2/IDP1/signing false
```

## Validation

* Navigate to Settings > Enterprise SSO in the user interface. The SSO feature will be enabled.

![](https://uploads.developerhub.io/prod/K9yg/9v3xymhcimgyccctczh0p1daylcsglfl3i1o010renfikid0hidbusdu3fmtuzcz.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://platform9.com/kb/pcd/generic/sso-got-disabled-post-management-plane-upgrade.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.