When configuring Single Sign-On (SSO) with Microsoft Entra ID, G Suite, or Okta, issues may arise. This article provides troubleshooting steps to help resolve common problems across these platforms.
This article will guide you through:
Looking for something else?
-
Not yet configured SSO with your identity provider? Learn how to set up SSO here.
Testing and troubleshooting common identity providers
Ensuring that SSO is functioning correctly is crucial for seamless access and security. Follow the steps below to verify and debug SSO setups with Microsoft Entra ID, G-suite and Okta.
Microsoft Entra ID
Step 1: In the Azure Portal, navigate to the Enterprise applications section.
Step 2: Select the application and click on Test under the Single Sign-on settings.
Step 3: Review any error messages and verify that the SSO setup is correct.
Step 4: Navigate to Azure Active Directory > Sign-in. Use the Azure AD Sign-in logs to review authentication attempts and errors.
G-suite
Step 1: In the Google Admin Console, navigate to the Apps section.
Step 2: Select SAML apps, choose your application, and click Test to simulate SSO login.
Step 3: Navigate to Reports > Audit > SAML. Review the SAML login logs in the Google Admin Console to identify any authentication issues.
Okta
Step 1: In the Okta Admin Console, navigate to Applications. Select your application, and click on Sign On to test the SSO configuration.
Step 2: Review any issues highlighted in the test results.
Step 3: Navigate to Reports > System Log. Use Okta’s system log to review authentication attempts and diagnose errors.
General troubleshooting tips
Refer to the table below for general troubleshooting recommendations to help you resolve common issues during the SSO setup process.
Troubleshooting Tip |
Explanation |
Ensure correct SSO Configuration |
Ensure that SSO settings are correctly configured according to the setup instructions, including the Name ID format, email address, signing certificates, and attribute mappings. The email address used in the identity provider must match the one configured in Enable, including case sensitivity. |
Verify the Credentials |
Ensure that all SSO credentials (such as Entity ID, ACS URL, etc.) are accurately entered in both the identity provider and in Enable. |
Review Metadata Files |
Confirm that any metadata files or configuration details are correctly uploaded and correspond to the provided credentials. Re-upload if necessary. |
Certificate Problems |
Confirm that the SAML Signing Certificate is properly configured and valid. Re-import or update the certificate if needed; for example, a SAML signing certificate may become outdated or expire, meaning that the SSO process will fail because the Service Provider will not trust the signed SAML assertions. |
Clearing Cache |
Clearing the browser cache can resolve issues caused by outdated or corrupted data stored in the cache. Clear your cache and try logging in again. |
Use a Private Browser |
Using a private or incognito browser window can help bypass issues caused by cookies and cached data. This provides a clean session for testing SSO. |
Review Logs |
Review the identity provider logs and Enable user activity logs for error messages or issues that might indicate the source of the problem. |
Test SSO |
Use the built-in testing tools provided by your identity provider and Enable to simulate login attempts and ensure the SSO configuration works as expected. |
Change browser |
Occasionally switching browsers (e.g. from Microsoft Edge to Chrome) may work. |
Remove autocompleted fields from browser |
Delete the text currently written in any text fields displayed on the page so that they are blank. Then, repopulate those text fields again with the correct information before continuing. |
Delete and recreate users in Enable channel |
Occasionally this may work as a last resort. |
Tracking SSO in Enable
Channel admin users have access to the Config area and user activity log within Enable. To track SSO login for users in Enable:
Step 1: Click on Config in the green banner at the top of the page.
Step 2: Click on Users in the drop-down menu. You will automatically be navigated to Users within the Config area.
Step 3: Click on Activity type and select SAML2 single sign-on. Click OK.
Step 4: Review the user SSO login attempts to see who has succeeded or failed to log in to Enable, along with the reasons why. Tip: Hover over the Failure activity indicator to reveal the email address of the user who has attempted to sign in.
Note: Once you have confirmed that SSO is working, Enable can enforce sign-in through SSO only, and remove the option of manual login with your current Enable passwords. If this is required by your organization, reach out to the Enable Support team.
What’s next?
Ready to learn more about the user activity log now that SSO setup is complete? Learn more about monitoring user activity here.