Content of the article:
- Email domain not configured for SSO in Acubiz
- User access not set up in customer's AD system (error AADSTS50105)
- Error 401 Not authorized
- Package managers (MDM, Intune or similar)
- SAML Certificate needs to be renewed.
Email domain not configured for SSO in Acubiz
⚠️Error: When the user is rejected immediately after entering their email on the first screen and receives an error message like: "Selected user account does not exist in tenant ...."
ℹ️Reason: The company's email domain is not set up/configured in the Acubiz ADFS system. This typically occurs when the customer has already implemented SSO, but subsequently has some users with email addresses under a new domain.
✅Solution: The company must enter into an agreement with Acubiz Support to set up the new domain. Adding a new domain to the setup entails an additional cost.
⚙️Solved by: Acubiz is required to implement the change following the establishment of an agreement.
An example of the screen that the user will see:
User access not set up in customer's AD system (error AADSTS50105)
⚠️Error: If the user receives an error message when attempting to log in, which is of the following nature: "AADSTS50105: The signed in user 'robertk@kundedomæne.dk' is not assigned to a role for the application '4d020abe-0f94-4443-b515-5c40f482ea90'(Acubiz EMS)."
ℹ️The problem is related to the customer's setup of the AD system. The message does NOT originate from Acubiz, but from the customer's own AD system.
✅Solution: Configuration must be performed in the company's AD by granting the user access to use the Acubiz application.
⚙️Solved by: The company's IT department must make the change in the AD.
- Related information: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50105-user-not-assigned-role
Example of the screens the user sees:
Error 401 Not authorized
⚠️Error: SSO authentication works fine, but the user then gets the error "401 Not authorized" from Acubiz.
ℹ️Reason: This happens if the user's email cannot be found on an active user profile in Acubiz. The solution is typically for the customer to create the user or simply correct the email address. Duplicate email addresses are not allowed. For example, if a Resigned user exists with the same email address, the SSO process will fail even if a new active user profile is present.
✅Solution: The email address of the inactive user profile must be changed. For example, insert "_resigned" in the email address.
⚙️Solved by: An Acubiz Pro user with Administrator role must make the change in Acubiz.
Package managers (MDM, Intune or similar)
⚠️Error: When the user enters their email address in the Acubiz app, nothing happens afterwards.
ℹ️Reason: When using Package Managers (for example Intune), you must be aware that the sandbox created for Acubiz on the phone must also include a browser, otherwise Acubiz will not be able to open the company's login page for the AD.
✅Solution: Include a browser when remotely installing the Acubiz app.
⚙️Solved by: The company's IT department must make the change to the Package Manager platform
SAML Certificate needs to be renewed.
⚠️Error: The customer's SAML certificate has expired.
ℹ️Related information: Updating SAML certificate
✅Solution: The customer must renew the certificate in their system (on the same FederationMetadataURL), after which Acubiz ADFS will automatically register the new one within 24 hours. Acubiz should not receive the certificate itself as a file. The expiration date for SAML certificates is typically three years.
⚙️Solved by: The company's IT department must make the change in the AD
-
Complete list of error codes from Entra:
https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
Comments
0 comments
Please sign in to leave a comment.