Indeed those Page access warnings can be looked at at a later time. Do note that your admin role needs to be able to configure MxModelreflection to adjust the synchronized modules of your app. And for the SAML module your admin needs to be able to get to the setup and log pages.
Now for the main questions. Mendix login is stil available. It needs to be because your admin should still be able to log iin even if SSO is not working. If you go to a slightly adjusted URL you will directly redirected to the login page of that IdP setting if you go to: https://youarapp.mendixcloud.com/SSO/login?_idp_id=yourIdPsetupName
You could also put a button on your login page that directs to this page. This way your users do not need to remember this URL and just can press the SSO button. If you have a multi tenant setup like we do we first request the account of the user so we can retrieve the right IdP setting and redirect him to the right URL or give a message back that no SSO setting can be found for his account.
Hope this helps,
Regards,
Ronald
[EDIT]
Did you set all the Path based access restrictions?
Ronald,
The only successful request that I could get from the /SSO/ handler was /SSO/metadata. All other requests, inclusive of /SSO/login or /SSO/loin/SSO/ or /SSO/discovery, all yield the “Unable to validate the SAML message!” page:
Surely this is a symptom of something missing (again, /SSO/metadata is working). Any idea?
Thanks!
I was testing the app in the cloud (Free App sandbox), as I read somewhere that the SAML SSO works only from the cloud. Now in order to see some errors in the console log, I ran the app locally, and on the invocation of /SSO/ here is what I’ve got:
Unable to validate Response, see SAMLRequest overview for detailed response. Error: SAML hasn't been correctly initialize. Please restart the SAML handler.
--------
org.opensaml.common.SAMLException: SAML hasn't been correctly initialize. Please restart the SAML handler.
at saml20.implementation.LoginHandler.handleRequest(LoginHandler.java:37)
at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:164)
at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40)
at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:76)
at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:73)
at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32)
at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:79)
at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:937)
at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.service(RuntimeHandler.java:42)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
To get to the IDP login page, you usually go to /SSO/ . Does that work for you?
The documentation discusses this in more detail – see the bit specifically about the SSOLandingPage setting and configuring your index.html file to auto-redirect to the SSO process.