Troubleshooting SSO Issues
Common SSO Problems
SAML Assertion Errors
Symptom: "SAML assertion validation failed"
Solutions:
- Verify the ACS URL matches exactly (including trailing slashes)
- Check clock skew between your IdP and SureStage (must be < 5 minutes)
- Ensure the IdP certificate hasn't expired
- Verify attribute mapping includes
email(required)
User Not Provisioned
Symptom: SSO login succeeds but "user not found in organization"
Solutions:
- Verify the user's email in the IdP matches their SureStage email
- Check if just-in-time provisioning is enabled
- If using SCIM, verify the provisioning sync is active
- Manually invite the user first, then they can use SSO
SSO Enforcement Lockout
Symptom: Admin locked out after enabling SSO enforcement
Solutions:
- Contact SureStage support for emergency access
- Use the backup admin email (set during SSO configuration)
- Access the API directly with an existing API key to disable enforcement
Diagnostic Checklist
- IdP metadata URL is accessible from SureStage
- ACS URL and Entity ID match exactly
- Required attributes (email) are mapped
- IdP certificate is valid and not expired
- User exists in both IdP and SureStage with matching email
- Clock skew is less than 5 minutes