SSO Troubleshooting Guide

This article covers common issues encountered when setting up or using SSO with the Paxos Dashboard. If your issue is not listed here, contact support@paxos.com with your error details and browser console output.

403 Forbidden after login (within the Dashboard)

This almost always means one of the following:

• Your IdP is not sending a groups attribute in the SAML assertion or OIDC token — verify your attribute/scope mappings include groups

• The user is not a member of any group in your IdP

• Role mappings have not been configured yet — an Org Admin must log in and set up mappings first (see First Login & Role Mapping)

Okta users: ensure the groups scope is enabled in your Okta default authorization server — see Okta's support article.

SAML error: "No SingleSignOn Http redirect binding location found in metadata"

Your SAML metadata file only includes HTTP-POST binding. Configure your IdP to support HTTP-Redirect binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) and regenerate the metadata file.

Still stuck?

Contact support with your error details and browser console output.