Skip to main content
Dansk
Compello Help mTime Help MFT Dashboard

The Most Common Reasons for SSO Login Failures

Kasper Brøckner
Updated

Content of the article:

 

Email Domain not Configured for SSO in Acubiz

⚠️Error: When the user is rejected immediately after entering their email on the first screen and receives an error message like: "Selected user account does not exist in tenant ...."

ℹ️Reason: The company's email domain is not set up/configured in the Acubiz ADFS system. This typically occurs when the customer has already implemented SSO, but subsequently has some users with email addresses under a new domain.

✅Solution: The company must enter into an agreement with Acubiz Support to set up the new domain. Adding a new domain to the setup entails an additional cost.

⚙️Solved by: Acubiz is required to implement the change following the establishment of an agreement.

An example of the screen that the user will see:

 

User Access not Set Up in Customer's AD System (Error AADSTS50105)

⚠️Error: If the user receives an error message when attempting to log in, which is of the following nature: "AADSTS50105: The signed in user 'robertk@kundedomæne.dk' is not assigned to a role for the application '4d020abe-0f94-4443-b515-5c40f482ea90'(Acubiz EMS)."

ℹ️The problem is related to the customer's setup of the AD system. The message does NOT originate from Acubiz, but from the customer's own AD system.

Solution: Configuration must be performed in the company's AD by granting the user access to use the Acubiz application.

⚙️Solved by: The company's IT department must make the change in the AD.

Example of the screens the user sees:

Or

 

 

Error 401 Not Authorized

⚠️Error: SSO authentication works fine, but the user then gets the error "401 Not authorized" from Acubiz.

ℹ️Reason(s): 

  1. The user's email address cannot be located within an active user profile in Acubiz.
  2. The user's primary email address from the company's Entra system is not registered on the user profile in Acubiz.
  3. Duplicate email addresses exist. For instance, if a resigned user retains the same email address, the SSO process will fail even if a new active user profile is available.

Solution(s)

  1. Create the user profile associated with the specified email address.
  2. Ensure that the registered email address in Acubiz corresponds to the user's primary email address from the company's Entra system. Alias email addresses are not permitted.
  3. Update the email address on any inactive user profiles. For example, append "_resigned" to the email address. Each email address must be unique and appear on only one user profile in Acubiz, regardless of the user's status as active or resigned.

⚙️Solved by: An Acubiz Pro user with Administrator role must make the change in Acubiz.

➡️Verification: Have the user make a Test of SSO Connection to Acubiz

 

Package Managers (MDM, Intune or Similar)

⚠️Error: When the user enters their email address in the Acubiz app, nothing happens afterwards. 

ℹ️Reason: When using Package Managers (for example Intune), you must be aware that the sandbox created for Acubiz on the phone must also include a browser, otherwise Acubiz will not be able to open the company's login page for the AD.

Solution: Include a browser when remotely installing the Acubiz app.

⚙️Solved by: The company's IT department must make the change to the Package Manager platform

 

SSO in App: When the mobile has saved the Microsoft login cookie for a private email

⚠️Problem: The user selects the SSO Login option within the application, but is automatically redirected to a private email address, resulting in an error message from the customer's Entra AD system.

ℹ️Reason: A login cookie associated with an incorrect email address is stored in the browser, which is hindering the successful login process.

✅Solutions:

To delete cookies on the mobile, so that the user can enter their company email on the login.microsoftonline.com website.

  • Guide for iPhone:
    If you have multiple browsers installed, you may first verify the default browser by navigating to: Settings > Apps > Default apps, and reviewing the application listed as the "Browser App."
  • For Safari (which is the default) 
    • Navigate to: Settings > Apps > Safari > Advanced (located at the bottom) > Website Data > Remove All Website Data (at the bottom).
    • This action will delete all stored website data, including cookies. Alternatively, you may locate login.microsoftonline.com within the list and delete data exclusively for that specific website.
  • For the Chrome browser
    • Please open the application, navigate to the options menu within the app, select "Clear browsing data," and then confirm your selection.
    • If you wish to retain your browsing history and other data, you may choose to clear only "Cookies and website data."

⚙️Solved by: The users themselves

 

SAML Certificate Needs to be Renewed

⚠️Error: The customer's SAML certificate has expired.

ℹ️Related information: Updating SAML certificate

Solution: The customer must renew the certificate in their system (on the same FederationMetadataURL), after which Acubiz ADFS will automatically register the new one within 24 hours. Acubiz should not receive the certificate itself as a file. The expiration date for SAML certificates is typically three years.

⚙️Solved by: The company's IT department must make the change in the AD

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk