Unable to Reconfigure SSO in PCD UI Using the Same Entity ID

Problem

After disabling SSO in the Platform9 PCD UI, attempting to reconfigure SSO with the same entity ID is not allowed. The UI displays an error "Identity provider already exists" or does not permit using the previous entity ID for SSO setup.

Environment

Private Cloud Director Virtualization - till 2025.7-47
Private Cloud Director Kubernetes – till 2025.7-47
Self-Hosted Private Cloud Director Virtualization - till 2025.7-47
Self-Hosted Private Cloud Director Kubernetes - till 2025.7-47
Component - SSO

Cause

Disabling SSO from the PCD UI removes the SSO settings from the backend service (Consul) but does not delete the Identity Provider (IDP) object from OpenStack. This means the entity ID stays in OpenStack, stopping reuse during reconfiguration.

This was a known issue which is tracked under PCD-3227 and is now fixed starting with the August release (v2025.8-92) and higher.

Diagnostics

To allow SSO to be reconfigured with the same entity ID

Step 1: List existing identity provider:

$ openstack identity provider list

+---------------------+---------------------------------------------------------------+
| Field               | Value                                                         |
+---------------------+---------------------------------------------------------------+
| authorization_ttl   | None                                                          |
| description         | None                                                          |
| domain_id           | default                                                       |
| enabled             | True                                                          |
| id                  | [IDP1_VALUE]                                                  |
| remote_ids          | https://[URL]                                                 |
+---------------------+---------------------------------------------------------------+

Step 2: Verify Existing IDP Configuration:

Use the following commands to check the current IDP state (replace <IDP1_VALUE> with the actual identity provider name):

$ openstack mapping list
$ openstack identity provider show <IDP1_VALUE> --fit-width
$ openstack federation protocol list --identity-provider <IDP1_VALUE>
$ openstack federation protocol show saml2 --identity-provider <IDP1_VALUE>
$ openstack group list
$ openstack group show <GROUP_ID>

Run these commands to review and confirm the existing identity provider (IDP) configuration including its details, associated federation protocols, mappings, and any related OpenStack groups.

The above step is to ensure that you are deleting the correct identity provider and do not accidentally remove configurations that may be used by other SSO integrations, mappings, or user groups. Proceed with deletion only if you are certain that the information shown matches the identity provider you intend to remove.

Workaround

Delete the stale identity provider using the below Openstack command:

$ openstack identity provider delete <IDP1_VALUE>

Validation

After deleting the identity provider, refresh the PCD UI and reconfigure SSO with the desired entity ID.

PreviousDemystifying Deauthorization and Decommisioning of PCD Hosts NextSSO Disabled Post Management Plane Upgrade

Last updated 1 month ago

Good evening

hashtagProblem

hashtagEnvironment

hashtagCause

hashtagDiagnostics

hashtagWorkaround