Why is SSO not working in ADManager Plus after setting it up with my identity provider?
Issue description
After configuring SSO for ADManager Plus using an identity provider (IdP) such as Okta, OneLogin, Ping Identity, AD FS, Microsoft Entra ID, or another SAML-based provider, users are unable to log in via SSO.
They may encounter issues such as:
Invalid SAML response
User not found
Being redirected back to the login screen without being authenticated
As a result, users cannot access ADManager Plus through their centralized identity provider, which disrupts seamless access and login experience.
Possible causes
Invalid or outdated metadata: The SAML metadata in ADManager Plus or the IdP is incorrect or no longer valid.
Mismatch in ACS URL or Entity ID: The ACS URL or Entity ID in ADManager Plus does not match what's configured in the IdP.
Incorrect user attribute mapping: The IdP is sending an unexpected attribute (e.g., mail instead of userPrincipalName).
Invalid or missing certificate: The certificate used to sign SAML responses is missing, expired, or invalid.
Time synchronization issues: The system time between ADManager Plus and the IdP server is not aligned.
Force SAML login enabled too early: Force SAML Login was turned on before completing IdP setup.
User not found in ADManager Plus: The user account doesn't exist based on the attribute received in the SAML assertion.
Prerequisites
The identity provider is configured to support SAML 2.0.
You have administrative access to both ADManager Plus and the IdP portal.
The SAML metadata, ACS URL, and Entity ID have been correctly exchanged and configured in both ADManager Plus and the IdP.
The correct user attribute (e.g., userPrincipalName) is being sent by the IdP and matches the user accounts in ADManager Plus.
The system clocks on both ADManager Plus and the IdP servers are synchronized using NTP or another time service.
Resolution
Step 1: Verify SSO configuration details in ADManager Plus
Log in to ADManager Plus and navigate to Delegation > Configuration > Logon Settings > Single Sign-On.
In the SAML Config Mode section, if you are using metadata upload the latest metadata file from your identity provider.
If configuring manually, ensure all SAML endpoints are correctly entered and match those in the IdP.
Verify that the ACS/Recipient URL and Entity ID/Issuer URL in ADManager Plus exactly match the settings in your IdP.
Check that the certificate used to sign SAML responses is valid and properly uploaded. If expired, replace it with the latest certificate from your IdP.
In the Mapping Attribute field, confirm the attribute used for user identification (e.g., userPrincipalName, mail, or sAMAccountName). Make sure the IdP sends the same attribute in the SAML assertion.
Use tools like a SAML tracer browser extension or your IdP’s test tools to inspect the SAML response and validate the attribute mapping.
Step 2: Review settings in the IdP
Log in to your IdP's admin portal.
Confirm that the ACS URL correctly points to your ADManager Plus server.
Verify that the Audience or Entity ID exactly matches the value configured in ADManager Plus.
Ensure the SAML response is signed using the correct and valid certificate.
Step 3: Confirm user presence and system time
Ensure the user exists in ADManager Plus and matches the attribute (e.g., userPrincipalName, mail) sent by the IdP.
Verify that the system time on the ADManager Plus server and the IdP are synchronized. A time difference of more than five minutes can lead to SAML authentication failures.
Tips
Keep Force SAML Login disabled until the entire SSO setup is tested and confirmed to avoid being locked out of the application.
Use the SAML testing tools provided by your IdP to simulate logins and verify the attributes being sent.
After updating certificates or SAML endpoints, always exchange and apply the latest metadata files between the IdP and ADManager Plus.
Start testing SSO with a single, known user whose mapped attribute (like userPrincipalName) is distinct and easy to verify.
How to reach support
If the issue persists, contact our support team here.
New to ADSelfService Plus?
Related Articles
How to enable SSO in ADManager Plus
ADManager Plus offers a built-in option to configure Active-Directory-based SSO to access or log in to it. This SSO option supports both NTLMv2- and SAML-based authentication. Steps to configure SSO to log in to ADManager Plus Click the Delegation ...SSO setup in ADManager Plus fails with errors after authentication
Issue description After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like: An ...How do I configure Okta SSO using ADManager Plus?
Objective This article explains how to integrate Okta with ADManager Plus using SAML 2.0 to enable secure SSO. This integration allows users to log in to ADManager Plus using their Okta credentials, streamline access, improve authentication security, ...Duplicate SSO login attribute causing SAML error in ADManager Plus
Issue description When attempting to log in to ADManager Plus using SAML authentication, users may encounter the following error: Login failed. The SSO login attribute value "user@example.com" is not unique within the domains configured in ADManager ...Error: Sorry, an error occurred in SAML Login during SSO redirection from ADManager Plus to the IdP
Issue description When attempting to log in to ADManager Plus using SAML Single Sign-On (SSO), users may encounter the following error message: "Sorry, an error occurred in SAML Login" ; "Please check the SAML Authentication configuration". This ...