SSO setup in ADManager Plus fails with errors after authentication

SSO setup in ADManager Plus fails with errors after authentication

Issue description 

After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like:

  • An invalid SAML response.

  • The user not being found.

  • Continuous redirection back to the logon page.

These issues prevent successful SSO-based logons and can block user access to the ADManager Plus portal.

Possible causes 

  • A metadata mismatch between ADManager Plus and your IdP

  • An incorrect Assertion Consumer Service (ACS) URL or entity ID configured in the IdP portal or ADManager Plus

  • Attribute mapping issues where the IdP sends a claim that does not match the expected userPrincipalName

  • Missing or mismatched certificates for signing SAML responses

  • System time differences causing assertions to be rejected

  • The user attempting SSO not existing in ADManager Plus

Prerequisites 

  • The IdP is correctly set up to support SAML 2.0.

  • You have administrative access to both ADManager Plus and the IdP portal.

  • You know the ACS URL and Entity ID configured in ADManager Plus.

  • The correct attribute (usually the userPrincipalName) is mapped in the IdP portal.

  • System clocks are synchronized (via NTP) for both the ADManager Plus server and the IdP.

Resolution 

Step 1: Verify the SAML configuration in ADManager Plus 

  1. Log on to ADManager Plus as a built-in admin.

  2. Navigate to Delegation > Configuration > Logon Settings > Single Sign On.

  3. Check that the ACS URL and Entity ID exactly match what your IdP expects.

  4. If using manual configuration, ensure the SSO URL and certificate are correctly set.

Step 2: Confirm the IdP setup 

  1. In your IdP portal (Okta, AD FS, Entra ID, etc.), verify that:

    1. The ACS or recipient URL points to your ADManager Plus instance.

    2. The audience or entity ID matches what is set in ADManager Plus.

    3. The SAML response is configured to be signed with the correct certificate.

Step 3: Check the attribute mapping 

  1. Ensure your IdP sends the correct user identifier.

  2. By default, ADManager Plus expects the SAML assertion to include the userPrincipalName. If using a different attribute (like email), adjust the mapping in ADManager Plus under Delegation > Configuration > Logon Settings > Single Sign On.

Step 4: Validate the user's existence in ADManager Plus 

  1. Make sure the user trying to log on via SSO exists in ADManager Plus under Delegation > Help Desk Delegation > Help Desk Technicians or as an admin.

  2. If you are using group-based delegation, confirm the user is part of the delegated group and has logged on at least once (so ADManager Plus registers the user).

 Step 5: Check the certificates and signatures 

  1. Make sure the IdP certificate is uploaded correctly in ADManager Plus.

  2. If certificates were rotated or renewed, download the latest metadata from the IdP and upload it again to ADManager Plus.

 Tips 

  • Use SAML tracing tools (like the SAML-tracer browser extension) to inspect the actual SAML response and quickly find mismatches.

  • If your environment is still being tested, avoid enabling Force SAML Login in ADManager Plus (under Delegation > Configuration > Logon Settings > Single Sign On) until SSO is fully verified.

  • Always download and update metadata files when certificates or SSO endpoints change on the IdP side.

How to reach support 

If the issue persists, contact our support team here.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Duplicate SSO login attribute causing SAML error in ADManager Plus

                      Issue description When attempting to log in to ADManager Plus using SAML authentication, users may encounter the following error: Login failed. The SSO login attribute value "user@example.com" is not unique within the domains configured in ADManager ...
                    • How to enable SSO in ADManager Plus

                      ADManager Plus offers a built-in option to configure Active-Directory-based SSO to access or log in to it. This SSO option supports both NTLMv2- and SAML-based authentication. Steps to configure SSO to log in to ADManager Plus Click the Delegation ...
                    • Why is SSO not working in ADManager Plus after setting it up with my identity provider?

                      Issue description After configuring SSO for ADManager Plus using an identity provider (IdP) such as Okta, OneLogin, Ping Identity, AD FS, Microsoft Entra ID, or another SAML-based provider, users are unable to log in via SSO. They may encounter ...
                    • Error encountered during SAML authentication in ADManager Plus

                      Issue description When users attempt to log in to ADManager Plus using SAML authentication, they may encounter the following error message: AADSTS75011: The authentication method used by the user does not match the authentication method requested by ...
                    • How do I configure Okta SSO using ADManager Plus?

                      Objective This article explains how to integrate Okta with ADManager Plus using SAML 2.0 to enable secure SSO. This integration allows users to log in to ADManager Plus using their Okta credentials, streamline access, improve authentication security, ...