Setting up SSO can be a little tricky and, while getting things going, you might encounter an error message or two along the way.
Take a look at the links below to see an overview of each message and how you can resolve them:
'Name ID not included in the configured whitelist'
If you're seeing this error, then the issue is that the domain being sent through to Skedda by your Identity Provider (IdP), via the 'Name ID' value, hasn't been included in the configured whitelist for your venue account on Skedda's side. In order to solve this one, make sure that the account you're using to test the SSO login actually has the 'Name ID' that was whitelisted for your Skedda venue account.
If you've confirmed that this is the case, and you're still encountering this error message, please reach out to us at Skedda. Our Dev team will take a look 'under the hood' to give us a better idea of what needs to be done!
'The domain of your email address is not included in the configured whitelist'
If you see this error message when attempting to log in via SSO, then it simply means that the email domain with which you're attempting to authenticate isn't actually added to the whitelist for your venue account yet. Please reach out to the Skedda team with a request to whitelist the specific email domain you're using, and we'll walk you through the next steps!
'The 'Name Id' that your IdP gave us for your authentication doesn't look like an email address'
When using SSO with Skedda, the 'NameId' value that your IdP provides to us must be an actual email address, not a random string - like 12345, for example. While this error isn't particularly common, your IdP may give you the ability to choose which 'NameId' format you want to use. In that case, you need to select the <email address> 'NameId' format, in order to send across the correct value to Skedda. Have your administrator reach out to us if they get stuck while making this change!
'We were unable to obtain your email address from your SSO provider'
In this error case, Skedda is missing your email address completely. The cause behind this is incorrect attribute mapping in your Skedda-app setup in your IdP, for your 'Email' attribute. The attribute named:
... Needs to be linked to (contain) the email address of the user attempting to authenticate. Let us know if you need help adjusting this!
'We didn't get all the necessary information from your SSO provider'
In this case, the issue lies with incorrect attribute mapping for either your 'First name' or 'Last name' attributes, or both. The attribute named:
... Needs to be linked to (contain) the first name of the user. And, the attribute named:
... Needs to be linked to (contain) the surname of the user. Let us know if you need help adjusting this!
'There was an unexpected problem with your SSO login'
There are a number of possible causes behind this error message, specifically:
Possible cause 1: SSO is not enabled on the Skedda side
Enable it! You can do this from your SSO settings page:
Possible cause 2: Certificate incorrect
This is the certificate that you paste into the 'IDENTITY PROVIDER CERTIFICATE PUBLIC KEY' field in your Skedda SSO settings. If you're seeing this error message, it's possible that the certificate you've provided for this field is incorrect. Take a second look at it, and feel free to reach out to us if you need any help!
Possible cause 3: IdP-initiated login without “relay state” value configured
If you're attempting to log in to Skedda from within your IdP (Identity Provider), and you're seeing the above error message, then the likely cause is that you're missing your venue's 'Relay State' value in your IdP's configuration for Skedda. Add that value into the appropriate field in your IdP's Skedda app, and you should be sorted!
Possible cause 4: Incorrect ACS URL
When configuring the value for your 'Reply URL (ACS URL)' from within your IdP (Identity Provider), you need to be sure to paste in only the value:
... Into the relevant field. Any other value will produce the error message you've encountered!
Possible cause 5: Incorrect Entity ID
If your 'Entity ID' value is configured incorrectly from within your IdP, or it doesn't match up with the 'Entity ID' value you subsequently provide within your Skedda SSO settings, you'll also see this error message come up! We've seen this issue come up more commonly for JumpCloud integrations, but it's worth checking this, no matter your IdP, and letting us know if you get stuck!
Possible cause 6: Expired public certificate key
Part of IdP security protocol is to set an expiry date for the public certificate key that you supply to outside service providers (like Skedda), so that access across your applications in your IdP is protected. When your certificate expires in your IdP, you will no longer be able to authenticate via SSO for the apps that you've configured for SSO access.
If you're able to ask your IT team to confirm whether or not your certificate has expired/rolled over, or not, you'll be able to either replace the former certificate value in Skedda or rule this out as a potential cause of the Skedda error message you've seen!
'The ACS/Reply-To URL of your Single Sign-On request is incorrect'
Similar to the 'Possible cause 4' point from the previous error message, this message indicates that the value you have supplied in your IdP as the 'ACS URL' for your Skedda app is incorrect. Take another look to see that you've copied over the correct value from Skedda exactly, and let us know if the issue persists beyond this point!
'Your login was successful, but to continue we just need you to click on the link in the email we've now sent you.'
If you're seeing this message, then, good news! Your SSO configuration appears to be working! You just need to follow the instructions shown in the message above in order to complete the final association between your existing Skedda user profile and your new SSO authentication pathway. You'll only see this message if you already have a user profile present in Skedda with the same email address you are now using to authenticate via SSO. Entirely new users (i.e. those who don't yet have a user profile associated with the email they're using to access Skedda via SSO) won't see this message.
Non-Skedda SSO error messages
From time to time, you may encounter an error message while testing SSO that doesn't originate from Skedda i.e. Skedda didn't generate the error message - your IdP did. These error messages indicate that something has gone wrong somewhere outside the basic SSO integration that you've set up.
The most common that we've seen come up has to do with user-access assignment issues. Two examples are:
AADSTS50105: The signed-in user '.....' is not assigned to a role for the application (Skedda)
This is an Azure-generated error message that indicates that the user profile attempting to authenticate and log in to Skedda has not been granted the requisite access permissions (a role) for the Skedda app that you've configured in Azure.
403. That's an error. Error: app_not_configured_for_user
This is a Google-generated error message that, as with Azure above, indicates that your user-access settings have not yet been configured to allow your selected users access to the Skedda app that you've configured in Google.
While the user-access assignment error is the non-Skedda error message we've seen come up most commonly, if you do encounter an IdP-generated error message, you should take the following 2 steps:
Read through the error message carefully to see what issue it is speaking to specifically. This will point you in the right direction as to where you should be looking within your IdP.
Click on the help links/'details' options that are included in the error messages, if available. These will often link to the IdP's knowledge base to provide further information on the issue and the associated fix.
Adding multiple Skedda venues with the same IdP
You can configure multiple Skedda venues (i.e. multiple Skedda URLs like numberone.skedda.com and numbertwo.skedda.com) with one dedicated "app" for each on your single IdP. Such an approach can have security benefits (e.g. perhaps you wish to limit access to your Skedda accounts based on security groups in Azure Active Directory).
Copy entity ID, login URL and certificate public key from the first venue already configured.
Paste these into the new venue and select save changes.
Unique-id error (if adding multiple apps on your IdP to point to different Skedda venues)
Some IdPs, including Microsoft Azure Active Directory and Google Workspace, will not allow you to create multiple "apps" with the same "Entity ID".
Skedda's standard "Entity ID" is https://skedda.com/saml2, and if you use this for two different apps in your IdP then you may see an error like those shown below (examples from Azure and Google Workspace respectively):
The good news is that there's an easy fix for this problem if you need to solve it. In addition to our standard Entity ID (https://skedda.com/saml2), we also support Skedda-account-specific Entity IDs. The format for an account-specific Entity ID is...
https://skedda.com/saml2?vid=12345
...where "vid=12345" is the same value as your account-specific "Relay State" that is shown on your SSO settings page (example below). You just need to make sure to check the box that reads, "Use venue-specific Entity ID" in the setup form for your SSO configuration.
Once you save your changes here, you'll see that the "Entity ID" value in the section, "SETTINGS FOR YOUR IDENTITY PROVIDER" has changed to include your venue's unique "vid" (Venue ID). You should copy this account-specific Entity ID in the corresponding app you create in your IdP.
For example, if you had two Skedda accounts that had IDs "135790" and "246802", then the corresponding account-specific Entity IDs would be:
https://skedda.com/saml2?vid=135790
https://skedda.com/saml2?vid=246802
Importantly, if you do this for one of your venues, you need to do this for all your Skedda venues that are linked to the same IdP.
Microsoft Entra ID / Office 365 SSO Certificate Expired
This issue might occur after you have set up SSO with Microsoft Entra ID / Office 365. If your SAML signing certificate on Azure has expired, you may get locked out of your Skedda venue if you were not already logged in. In this scenario, please reach out to our support team.
We hope that this breakdown assists you in your troubleshooting of any SSO error messages you might encounter. Of course, if you're still stuck after taking a look through this list, please don't hesitate to reach out to the Skedda Team for further assistance!