After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like:
An invalid SAML response.
The user not being found.
Continuous redirection back to the logon page.
These issues prevent successful SSO-based logons and can block user access to the ADManager Plus portal.
A metadata mismatch between ADManager Plus and your IdP
An incorrect Assertion Consumer Service (ACS) URL or entity ID configured in the IdP portal or ADManager Plus
Attribute mapping issues where the IdP sends a claim that does not match the expected userPrincipalName
Missing or mismatched certificates for signing SAML responses
System time differences causing assertions to be rejected
The user attempting SSO not existing in ADManager Plus
The IdP is correctly set up to support SAML 2.0.
You have administrative access to both ADManager Plus and the IdP portal.
You know the ACS URL and Entity ID configured in ADManager Plus.
The correct attribute (usually the userPrincipalName) is mapped in the IdP portal.
System clocks are synchronized (via NTP) for both the ADManager Plus server and the IdP.
Log on to ADManager Plus as a built-in admin.
Navigate to Delegation > Configuration > Logon Settings > Single Sign On.
Check that the ACS URL and Entity ID exactly match what your IdP expects.
If using manual configuration, ensure the SSO URL and certificate are correctly set.
In your IdP portal (Okta, AD FS, Entra ID, etc.), verify that:
The ACS or recipient URL points to your ADManager Plus instance.
The audience or entity ID matches what is set in ADManager Plus.
The SAML response is configured to be signed with the correct certificate.
Ensure your IdP sends the correct user identifier.
By default, ADManager Plus expects the SAML assertion to include the userPrincipalName. If using a different attribute (like email), adjust the mapping in ADManager Plus under Delegation > Configuration > Logon Settings > Single Sign On.
Make sure the user trying to log on via SSO exists in ADManager Plus under Delegation > Help Desk Delegation > Help Desk Technicians or as an admin.
If you are using group-based delegation, confirm the user is part of the delegated group and has logged on at least once (so ADManager Plus registers the user).
Make sure the IdP certificate is uploaded correctly in ADManager Plus.
If certificates were rotated or renewed, download the latest metadata from the IdP and upload it again to ADManager Plus.
Use SAML tracing tools (like the SAML-tracer browser extension) to inspect the actual SAML response and quickly find mismatches.
If your environment is still being tested, avoid enabling Force SAML Login in ADManager Plus (under Delegation > Configuration > Logon Settings > Single Sign On) until SSO is fully verified.
Always download and update metadata files when certificates or SSO endpoints change on the IdP side.
If the issue persists, contact our support team here.