Single Sign-On FAQ

Search this FAQ section to see if you find an answer to your question. If you cannot find the right answer, please contact our support team at [email protected].

Help! SSO is broken! I can’t get into Collibra!

Even though you seem to be locked out of Collibra Platform, you can always gain access by using a Collibra local account. You can change the address of the page that you are visiting to end with /signin (So: https://<your instance>/signin)

A generic username/password form is displayed. You can only use accounts that have been created in Collibra itself.

Once you have regained access to your instance, you can try to figure out what exactly went wrong. To resolve any problems, you can start by retrieving the log files, and analyzing them. If something went wrong with the SAML authentication flow, some error will show up in these log files.

For more information about logging, see Logging.

I'm getting the "SAML authentication failed. Please contact your Administrator for more information." error, but nothing wrong shows up in the log

Most likely, this is because you are trying to sign in without global application permissions.

In most cases, you will want to use the Everyone group to assign application permissions to everybody. That is including new users and guest users. To do this, sign in manually, with the sign-in page, using an admin account. Then navigate to Settings > Roles, and assign the Everyone group to the appropriate global roles. For more details, see Collibra Console roles and Responsibilities.

In the cloud environment, when do we require a restart of the instance if we changed something?

A restart of the environment can be requested when:

  • Your initial configuration has been done, and the SAML metadata file has been provisioned by uploading a SAML metadata file.

In order to help in the decision process, the following things are being reloaded automatically:

  • The SAML metadata file is reloaded every 2 hours. The next reload point will be mentioned in the log file.
  • All configuration.xml changes will be reloaded on every SAML Response (meaning: Collibra always uses the current setting in the configuration.xml).

You can request a restart of your cloud instance by contacting our support team at [email protected].

How do I upload my SAML metadata file to a cloud instance?

If your environment is using a cloud instance of Collibra, the only supported mode of SSO is SAML with attribute sync.

To upload the SAML metadata file to your environment, see Upload a SAML metadata file.

How can I use SSO with SAML to assign groups/roles automatically to users?

In the SAML documentation, you can read how to set the attributes that Collibra expects. One of these attributes is to allow the IDP to send group information.

If you set the Group attribute to user.group, Collibra then parses the SAML Response to look for the user.group attribute. This attribute has to be a comma-separated list of groups to which this user has to be added.

Groups that do not exist, are created just in time. Users that are no longer part of a group per this definition are removed from that group.

Any groups that are empty after this operation are also removed.

Why is my Collibra user account removed from all groups when I log in with SSO?

In the context of group management, even if the Group attribute is not set, Collibra still assumes that you are trying to manage the groups from your IDP.

This question implies that you wish to use group management in Collibra itself. Set the option Groups DGC managed in Security configuration > SSO to True. Collibra then always assumes that group management is performed in Collibra itself.

Why is a new profile created each time I log in to Collibra?

Profiles are created when the username in the assertion is not yet found in the database.

You will notice that there is no <username> attribute linked. This is because the value Collibra uses to create and check usernames is actually the value of the nameid field in the SAML Response.

This field is governed by SAML and can ensure that the value is not Personally Identifiable Information (PII). The default nameid format used by Collibra is: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

The problem with profiles being regenerated on every sign-on always has to do with this nameid. In some cases, the nameid is overridden by the IDP to be a random value, causing a user to be created many times. At other times, the IDP does not properly support our default nameid-format.

In order to fix this problem, first talk to your IDP team to figure out if the IDP is indeed supporting urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. If it cannot support this in any case, Collibra can override the nameid-format used in the SAML Request.

Warning Overriding the nameid-format is an advanced feature. Choosing to use it, makes the consequences your own responsibility.

If you still want to override the nameid-format, add the following tag in the <saml> section of the configuration.xml:

<force-nameid>Your fully qualified nameid-format</force-nameid>

Collibra expects you to provide the full string that describes the nameid that you want to use.