Troubleshooting Single Sign-On (SSO) issues
Who is this article for?Administrators investigating SSO issues.
System Setting Administrationpermissions are required.
There are several errors that may prevent the SSO authentication from working correctly. Causes and solutions will vary from provider to provider due to differences in SAML configuration.
This article walks you through the most common issues and how to resolve them.
1. Common errors
1.1. Provider side
If an error occurs on identity provider’s login page, confirm that they have the correct Qualtrax SSO URL, also known as the ACS URL.
To check this, navigate to the SAML SSO configuration on the provider's side and confirm that the URL used matches the Reply URL that appears in the Provider Settings.
If the URL is correct but the error persists, confirm that the provider has the correct Qualtrax Identifier, also known as the Entity ID.
1.2. System side
If an error occurs in Quality Management upon redirection from the provider, use Qualtrax High Logs to identify the cause. This error typically reads: "An error occurred while processing the response from your configured Single Sin On Identity Provider and has been logged. Contact your Administrator for more information."
Depending on the error within the log, the solution will be different:
- "The audience restriction [IdP Audience] doesn't match the expected audience restriction [Qualtrax Identifier/Entity ID]."
To resolve this issue, navigate to the SAML SSO configuration on the provider's side and confirm the Audience used matches the Identifier that appears oin the system.
- "The SAML recipient [IdP Recipient] doesn't match the expected recipient [Qualtrax Reply URL]."
To resolve this issue, navigate to the SAML SSO configuration on the provider's side and confirm the Recipient used matches the Identifier that appears oin the system.
- "The SAML response destination [IdP Recipient or Destination] doesn't match the expected destination [Qualtrax Reply URL]."
To resolve this issue, navigate to the SAML SSO configuration on the provider's side and confirm the Recipient and/or Destination used matches the Identifier that appears oin the system.
- "Idp request contains no attribute matching user email address in the form of
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'."
To resolve this issue, navigate to the SAML SSO configuration on the provider's side and add a custom attribute with the name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" as the value/user field. If there is an option to include this in the SAML assertion, enable it.
2. User-specific errors
If an error occurs in Quality Management when a user attempts to access the system, use Qualtrax High Logs to identify the cause.
Depending on the error within the log, the solution will be different:
- "Unable to decrypt RelayState. Contents were either tampered with or the Identity Provider returned an invalid email attribute for the request."
To resolve this issue, navigate to the user account on the provider's side and confirm the email address used matches the email address that appears on the system.
- "Idp request email does not match user found in RelayState."
To resolve this issue, navigate to the user account on the provider's side and confirm the email address used matches the email address that appears on the system.