Issue description 

After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like:

• An invalid SAML response.

• The user not being found.

• Continuous redirection back to the logon page.

These issues prevent successful SSO-based logons and can block user access to the ADManager Plus portal.

Possible causes 

• A metadata mismatch between ADManager Plus and your IdP

• An incorrect Assertion Consumer Service (ACS) URL or entity ID configured in the IdP portal or ADManager Plus

• Attribute mapping issues where the IdP sends a claim that does not match the expected userPrincipalName

• Missing or mismatched certificates for signing SAML responses

• System time differences causing assertions to be rejected

• The user attempting SSO not existing in ADManager Plus

Prerequisites 

• The IdP is correctly set up to support SAML 2.0.

• You have administrative access to both ADManager Plus and the IdP portal.

• You know the ACS URL and Entity ID configured in ADManager Plus.

• The correct attribute (usually the userPrincipalName) is mapped in the IdP portal.

• System clocks are synchronized (via NTP) for both the ADManager Plus server and the IdP.

Resolution 

Step 1: Verify the SAML configuration in ADManager Plus 

1. Log on to ADManager Plus as a built-in admin.

2. Navigate to Delegation > Configuration > Logon Settings > Single Sign On.

3. Check that the ACS URL and Entity ID exactly match what your IdP expects.

4. If using manual configuration, ensure the SSO URL and certificate are correctly set.

Step 2: Confirm the IdP setup 

1. In your IdP portal (Okta, AD FS, Entra ID, etc.), verify that:

1. The ACS or recipient URL points to your ADManager Plus instance.

2. The audience or entity ID matches what is set in ADManager Plus.

3. The SAML response is configured to be signed with the correct certificate.

Step 3: Check the attribute mapping 

1. Ensure your IdP sends the correct user identifier.

2. By default, ADManager Plus expects the SAML assertion to include the userPrincipalName. If using a different attribute (like email), adjust the mapping in ADManager Plus under Delegation > Configuration > Logon Settings > Single Sign On.

Step 4: Validate the user's existence in ADManager Plus 

1. Make sure the user trying to log on via SSO exists in ADManager Plus under Delegation > Help Desk Delegation > Help Desk Technicians or as an admin.

2. If you are using group-based delegation, confirm the user is part of the delegated group and has logged on at least once (so ADManager Plus registers the user).

 Step 5: Check the certificates and signatures 

1. Make sure the IdP certificate is uploaded correctly in ADManager Plus.

2. If certificates were rotated or renewed, download the latest metadata from the IdP and upload it again to ADManager Plus.

 Tips 

• Use SAML tracing tools (like the SAML-tracer browser extension) to inspect the actual SAML response and quickly find mismatches.

• If your environment is still being tested, avoid enabling Force SAML Login in ADManager Plus (under Delegation > Configuration > Logon Settings > Single Sign On) until SSO is fully verified.

• Always download and update metadata files when certificates or SSO endpoints change on the IdP side.

How to reach support 

If the issue persists, contact our support team here.