Internal only. This page is for Juno support staff. For user-facing guidance, see Login Issues.
SSO architecture overview
Juno supports SAML 2.0 SSO via Firebase Authentication’s SAML provider. The flow:tenantId scoped).
SAML config fields
Found in Admin → Integrations → SSO (visible to Super Admins only):| Field | Description | Common mistake |
|---|---|---|
entryPoint | IdP SSO URL (where Firebase sends the auth request) | Trailing slash or wrong URL from IdP metadata |
cert | IdP signing certificate (PEM, without headers) | Expired cert, headers included, or copied with whitespace |
issuer | SP entity ID (Juno’s identifier, sent to IdP) | Must match exactly what’s configured in IdP |
callbackUrl | ACS URL (where IdP sends the SAML assertion back) | Must be the Firebase auth handler URL for this tenant |
logoutUrl | IdP logout URL (optional) | Wrong URL causes broken logout, not login failure |
attributesMapping | Maps IdP attributes → Juno fields | Mismatch here = user created with wrong email/name |
Diagnosis flow
Step 1 — Enable SAML assertion logging
In the tenant’s Firebase configuration, temporarily enable:Step 2 — Check the SAML assertion
In the log output, confirm:- The assertion is being received (if nothing logged → assertion never reached Firebase)
NameIDor the mapped email attribute is present and correct- The assertion is not expired (
NotOnOrAftertimestamp) - The signing certificate in the assertion matches the
certin Juno’s config
Step 3 — Check attribute mapping
TheattributesMapping must map IdP attributes to Juno’s expected fields:
Step 4 — Check the tenant ID
The tenant ID in Juno’s SSO config must exactly match the Firebase tenant ID and the org slug in MongoDB. A mismatch causes Firebase to reject the SAML response.Common failure modes
A: User redirected to IdP, then returned to error page
Likely cause: Certificate mismatch or expired certificate.- Download the current IdP metadata XML
- Extract the signing certificate
- Compare with what’s in Juno’s SAML
certfield (strip PEM headers before comparing) - Update Juno’s cert field if different
B: Login succeeds but user has wrong name/email in Juno
Likely cause:attributesMapping misconfigured.
- Enable
logProfile = trueand attempt login - In the SAML assertion log, find the actual attribute URIs for email, first name, last name
- Update
attributesMappingin Juno to match the actual URIs
C: Some users log in fine; others get errors
Likely cause: IdP is not provisioning all users in the same way, or some users have non-standard attribute values (e.g. missing first name).- Compare a working user’s SAML assertion with a failing user’s
- Look for missing or differently-formatted attributes
- Adjust attribute mapping or coordinate with customer’s IdP admin
D: SSO was working, suddenly stopped
Most likely causes:- IdP signing certificate expired → customer needs to update cert in their IdP and provide new cert to Juno
- Customer changed IdP configuration without notifying Juno → request updated metadata
- Firebase tenant got a config update that wiped the SAML settings → restore from backup or re-enter
Email domain auto-signup
If the tenant hasallowedEmailDomains configured, any user with a matching email domain who successfully authenticates via SSO is automatically provisioned in Juno with the default role (Learner).
This means: a misconfigured SAML attribute mapping that maps a non-email value to the email field can create corrupt user records. Check for junk user accounts if this is suspected.
Disable SSO (emergency)
If SSO is completely broken and an admin needs access:- Super Admin or Juno support (level 3+) can disable SAML provider in Firebase for the tenant
- Admins can then log in via email/password temporarily
- Fix the SAML config, re-enable, test with a non-admin account first before re-enabling for all users