Setting up SSO can be a little tricky and, while getting things going, you might encounter an error message or two along the way.
Take a look at the links below to see an overview of each message and how you can resolve them:
'Name ID not included in the configured whitelist'
If you're seeing this error, then the issue is that the domain being sent through to Skedda by your Identity Provider (IdP), via the 'Name ID' value, hasn't been included in the configured whitelist for your venue account on Skedda's side. In order to solve this one, make sure that the account you're using to test the SSO login actually has the 'Name ID' that was whitelisted for your Skedda venue account.
If you've confirmed that this is the case, and you're still encountering this error message, please reach out to us at Skedda. Our Dev team will take a look 'under the hood' to give us a better idea of what needs to be done!
'The domain of your email address is not included in the configured whitelist'
If you see this error message when attempting to log in via SSO, then it simply means that the email domain with which you're attempting to authenticate isn't actually added to the whitelist for your venue account yet. Please reach out to the Skedda team with a request to whitelist the specific email domain you're using, and we'll walk you through the next steps!
'The 'Name Id' that your IdP gave us for your authentication doesn't look like an email address'
When using SSO with Skedda, the 'NameId' value that your IdP provides to us must be an actual email address, not a random string - like 12345, for example. While this error isn't particularly common, your IdP may give you the ability to choose which 'NameId' format you want to use. In that case, you need to select the <email address> 'NameId' format, in order to send across the correct value to Skedda. Have your administrator reach out to us if they get stuck while making this change!
'We were unable to obtain your email address from your SSO provider'
In this error case, Skedda is missing your email address completely. The cause behind this is incorrect attribute mapping in your Skedda-app setup in your IdP, for your 'Email' attribute. The attribute named:
... Needs to be linked to (contain) the email address of the user attempting to authenticate. Let us know if you need help adjusting this!
'We didn't get all the necessary information from your SSO provider'
In this case, the issue lies with incorrect attribute mapping for either your 'First name' or 'Last name' attributes, or both. The attribute named:
... Needs to be linked to (contain) the first name of the user. And, the attribute named:
... Needs to be linked to (contain) the surname of the user. Let us know if you need help adjusting this!
'There was an unexpected problem with your SSO login'
There are a number of possible causes behind this error message, specifically:
Possible cause 1: SSO is not enabled on the Skedda side
Enable it! You can do this from your SSO settings page:
Possible cause 2: Certificate incorrect
This is the certificate that you paste into the 'IDENTITY PROVIDER CERTIFICATE PUBLIC KEY' field in your Skedda SSO settings. If you're seeing this error message, it's possible that the certificate you've provided for this field is incorrect. Take a second look at it, and feel free to reach out to us if you need any help!
Possible cause 3: IdP-initiated login without “relay state” value configured
If you're attempting to log in to Skedda from within your IdP (Identity Provider), and you're seeing the above error message, then the likely cause is that you're missing your venue's 'Relay State' value in your IdP's configuration for Skedda. Add that value into the appropriate field in your IdP's Skedda-app, and you should be sorted!
Possible cause 4: Incorrect ACS URL
When configuring the value for your 'Reply URL (ACS URL)' from within your IdP (Identity Provider), you need to be sure to paste in only the value:
... Into the relevant field. Any other value will produce the error message you've encountered!
Possible cause 5: Incorrect Entity ID
If your 'Entity ID' value is configured incorrectly from within your IdP, or it doesn't match up with the 'Entity ID' value you subsequently provide within your Skedda SSO settings, you'll also see this error message come up! We've seen this issue come up more commonly for JumpCloud integrations, but it's worth checking this, no matter your IdP, and letting us know if you get stuck!
Possible cause 6: Expired public certificate key
Part of IdP security protocol is to set an expiry date for the public certificate key that you supply to outside service providers (like Skedda), so that access across your applications in your IdP is protected. When your certificate expires in your IdP, you will no longer be able to authenticate via SSO for the apps that you've configured for SSO access.
If you're able to ask your IT team to confirm whether or not your certificate has expired/rolled over, or not, you'll be able to either replace the former certificate value in Skedda, or rule this out as a potential cause of the Skedda error message you've seen!
'The ACS/Reply-To URL of your Single Sign-On request is incorrect'
Similar to the 'Possible cause 4' point from the previous error message, this message indicates that the value you have supplied in your IdP as the 'ACS URL' for your Skedda-app is incorrect. Take another look to see that you've copied over the correct value over from Skedda exactly, and let us know if the issue persists beyond this point!
'Your login was successful, but to continue we just need you to click on the link in the email we've now sent you.'
If you're seeing this message, then, good news! Your SSO configuration appears to be working! You just need to follow the instructions shown in the message above in order to complete the final association between your existing Skedda user profile and your new SSO-authentication pathway. You'll only see this message if you already had a user profile present in Skedda with the same email address you are now using to authenticate via SSO. Entirely-new users (i.e. those who don't yet have a user profile associated with the email they're using to access Skedda via SSO) won't see this message.
Non-Skedda SSO error messages
From time to time, you may encounter an error message while testing SSO that doesn't originate from Skedda i.e. Skedda didn't generate the error message - your IdP did. These error messages indicate that something has gone wrong somewhere outside the basic SSO integration that you've set up.
The most common that we've seen come up has to do with user-access assignment issues. Two examples are:
AADSTS50105: The signed in user '.....' is not assigned to a role for the application (Skedda)
This is an Azure-generated error message that indicates that the user profile attempting to authenticate and log in to Skedda has not been granted the requisite access permissions (a role) for the Skedda-app that you've configured in Azure.
403. That's an error. Error: app_not_configured_for_user
This is a Google-generated error message that, as with Azure above, indicates that your user-access settings have not yet been configured to allow your selected users access to the Skedda-app that you've configured in Google.
While the user-access assignment error is the non-Skedda error message we've seen come up most commonly, if you do encounter an IdP-generated error message, you should take the following steps:
Read through the error message carefully to see what issue it is speaking to specifically. This will point you in the right direction as to where you should be looking within your IdP.
Click on the help links/'details' options that are included in the error messages, if available. These will often link to the IdP's knowledge base to provide further information on the issue and the associated fix.
We hope that this breakdown assists you in your troubleshooting of any SSO error messages you might encounter. Of course, if you're still stuck after taking a look through this list, please don't hesitate to reach out to the Skedda Team for further assistance!