Single Sign-On (SSO) means that one centrally controlled identity can be used to access multiple third-party applications. This type of authentication allows users in your organisation to rely on your own internal authentication system, such as your email provider, and seamlessly access all the different business systems in your environment with that single login.
As with any system login, there will be times when users are unable to log in. The below guide is designed to explain how your single sign-on is working and the different aspects to check when a user reports the inability to log in.
This article covers:
- What to do when a user reports an inability to log in?
- Email Addresses are case sensitive
- X.509 Certificate Requires Updating
- Reporting SSO issues to your IT department?
What to do when a user reports an inability to log in?
If your organisation has decided to use SSO this will assist employees to use multiple systems without having to remember numerous passwords. However, if you are using SSO and the end-user reports being presented with the message: 'These credentials do not match our records.' the steps below are designed to help you troubleshoot the issue.
- Confirm the employee is attempting to sign in to the correct URL. All tenants will be named https://yourorganizationname.intellihr.net.
- Confirm the login details (username and password) the user is trying to log in with.
- Navigate to the employee's Profile >> User Account
- Confirm the username matches what is reported by the employee
- Confirm that this employee's user account matches the format of other employees that are able to log in e.g. is the username in the same format? is there anything recorded in the SSO iD field?
- Following completion of the above, if the employee is still unable to log in please contact your IT department and use the information provided below to allow them to investigate.
Email Addresses are case sensitive
X.509 Certificate Requires Updating
The X.509 certificate that needs to be entered in Settings >> Single Sign-On >> Create SSO IdP needs to look like the image below.
To check that your X.509 certificate is correct there is number of online checkers such as the two provided below.
If the sites above are unable to decode then the details on the certificate may need to be revised.
Reporting SSO issues to your IT department
The ability to log in to intelliHR using SSO relies on the data held on the employee's user account on intelliHR matching what is recorded in your organization's identity provider - idP (common identity providers). The intelliHR support team understandably has no access to your idP; therefore, you will want to ask your IT team to check what is set at their end. The outline of the email below is a template so that you can provide as much information as possible to your IT team to investigate any potential mismatches between what is held on intelliHR and what is held on your idP.
The employee [name of employee] is currently unable to log in to intelliHR using their SSO credentials.
To assist, please see below the matching rules employed by intelliHR.
- If there is an intelliHR user account with an SSO ID configured that matches the incoming NameID.
- If there is an intelliHR user account with a Primary Email Address that matches the incoming NameID.
- If there is an intelliHR user account with the Username that matches the incoming NameID.
- If there is an intelliHR user account with the Employee Number that matches the incoming NameID.
- If intelliHR cannot find a match for any of these four values, an error for the user i.e. These credentials do not match our records.
- There is no SSO id configured for the employee/The SSO id is [insert SSO id on intelliHR]
- The employee's primary email address is [insert primary email address]
- The employee's username is [insert employee username]
- The employee's Employee Number is [insert employeenumber/intelliHR id]
Please confirm the NameID held by our idP matches one of the above values.