Troubleshoot Your SAML SSO Configuration

Overview

This article describes troubleshooting steps for common issues encountered with the Single Sign-On (SSO) configuration in the Syniti Knowledge Platform (SKP) that uses Security Assertion Markup Language (SAML) 2.0 protocol. This article will help you diagnose and resolve the SAML SSO configuration issues efficiently.

Note
The error messages described below must be considered as examples and may differ based on your identity provider (IdP).

Troubleshoot the SAML Configuration in the SKP

Log into the SKP using the Syniti provisioned administrator account.
Access Admin > Single Sign-On.
Click the Edit icon on the SSO Configuration card to modify the OIDC configuration based on your IdP. Use the following table to troubleshoot your SAML SSO configuration:

Error Message	Possible Issues	Remediation
Unrecognized login. Double-check your credentials and try again.	You may have entered an incorrect email address, or an email address with a domain that is not added to the trusted domains for your tenant in the SKP. You may have not whitelisted or trusted your organization’s IdP URL within Syniti’s network.	Submit a request to Syniti Support with your organization’s: required domains to get it added and activated for your tenant in the SKP before configuring the SSO feature. IdP URL to whitelist or trust within Syniti’s network.
Syniti does not support your identity provider. Please contact an administrator.	You may have incorrectly entered your IdP’s Metadata URL in the Metadata URL field. You may have entered incorrect or incomplete data for the following attributes from the metadata .xml code in the Metadata XML field: Entity ID Assertion Consumer Service or SSO URL Single Logout Service URL SAML Certificate	Perform one of the following actions as per your configuration: Ensure that you’ve entered the correct metadata URL from your IdP’s SAML configuration. Download, copy, and paste the latest, correct, and complete .xml code of your IdP’s metadata.
You are not authorized to log in. Please contact an administrator.	You may have incorrectly entered the User Metadata attributes from the IdP’s metadata URL or .xml file. This error occurs for new users provisioned from your IdP trying to login to the SKP.	Ensure that the attributes mentioned in the Set Up SAML SSO in the SKP section are entered correctly in the corresponding fields.

Error Message

Possible Issues

Remediation

Unrecognized login. Double-check your credentials and try again.

You may have entered an incorrect email address, or an email address with a domain that is not added to the trusted domains for your tenant in the SKP.
You may have not whitelisted or trusted your organization’s IdP URL within Syniti’s network.

Submit a request to Syniti Support with your organization’s:

required domains to get it added and activated for your tenant in the SKP before configuring the SSO feature.
IdP URL to whitelist or trust within Syniti’s network.

Syniti does not support your identity provider. Please contact an administrator.

You may have incorrectly entered your IdP’s Metadata URL in the Metadata URL field.
You may have entered incorrect or incomplete data for the following attributes from the metadata .xml code in the Metadata XML field:
- Entity ID
- Assertion Consumer Service or SSO URL
- Single Logout Service URL
- SAML Certificate

Perform one of the following actions as per your configuration:

Ensure that you’ve entered the correct metadata URL from your IdP’s SAML configuration.
Download, copy, and paste the latest, correct, and complete .xml code of your IdP’s metadata.

You are not authorized to log in. Please contact an administrator.

You may have incorrectly entered the User Metadata attributes from the IdP’s metadata URL or .xml file. This error occurs for new users provisioned from your IdP trying to login to the SKP.

Ensure that the attributes mentioned in the Set Up SAML SSO in the SKP section are entered correctly in the corresponding fields.

Troubleshoot Errors in the IdP

If you experience errors in your IdP, Syniti suggests to use the support and tools that your IdP provides.

Error Message	Possible Issues	Remediation
Application with identifier “syniti.xxx” was not found in the IdP’s directory “xxxxx”. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.	You may have incorrectly entered Syniti’s Entity ID in the new application configured in your organization’s IdP.	Enter Syniti’s Entity ID that corresponds to your SKP tenant region. Refer to Set Up the IdP section for more information.
The reply URL “https://api.syniti.<tenant region>/oauth/sigin/callback” specified in the request does not match the URLs configured for the application “syniti.xxx”. Make sure the reply URL sent in the request matches one added to your application in your IdP.	You may have incorrectly entered the Assertion Consumer Service URL or Reply URL in the new application configured in your organization’s IdP.	Enter the Assertion Consumer Service URL or Reply URL that corresponds to your SKP tenant region. Refer to Set Up the IdP section for more information.
We couldn't find an account with that username.	The entered email address for the user is not available in your IdP’s directory.	Contact your IdP’s Administrator to get your account added and assigned to the new application created for the SKP.
The signed in user 'xxxxx@<your domain>.xxx' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.	The entered email address for the user is not assigned to the new application created for the SKP.	Contact your IdP’s Administrator to get your account assigned to the new application created for the SKP.

Deactivate SAML SSO

Warning!
Deactivating SAML SSO may leave your users unable to access the SKP with your organization’s credentials. Deactivate SAML SSO only after contacting Syniti Support and when all of your organization’s user accounts are provisioned with Syniti’s trusted domain such that they log in using the SKP-initiated sign-on page.

You can either deactivate the SAML SSO configuration to use the password authentication with the SKP account, or edit the configuration details if your organization moves to a new IdP with the SAML 2.0 protocol.

Should there be a need for support when your organization moves to a new IdP, contact Syniti Support.

To deactivate SAML SSO:

Log into the SKP using the Syniti provisioned administrator account. For example, test.user@syniti.com. The SKP-initiated sign-on page is displayed.
SKP-initiated sign-on page
Enter your Syniti provisioned administrator account’s Username and Password.
Click Sign In.
Access Admin > Single Sign-On.
Turn off the Active toggle button to deactivate the SSO configuration. This action allows users to access the SKP using the password authentication with the SKP account.
Note
Skip to Step 6 if you are intending to change the SAML configuration for your new IdP.
Click the Edit icon on the SSO Configuration card to modify the SAML configuration based on your new IdP.

Switch to OpenID Connect

You cannot delete a SAML SSO configuration or switch to OpenID Connect protocol once it is set up.

To delete a SAML SSO configuration or change the SSO 2.0 protocol to OpenID Connect, you must contact Syniti Support.