After configuring SSO for ADManager Plus using an identity provider (IdP) such as Okta, OneLogin, Ping Identity, AD FS, Microsoft Entra ID, or another SAML-based provider, users are unable to log in via SSO.
They may encounter issues such as:
Invalid SAML response
User not found
Being redirected back to the login screen without being authenticated
As a result, users cannot access ADManager Plus through their centralized identity provider, which disrupts seamless access and login experience.
Invalid or outdated metadata: The SAML metadata in ADManager Plus or the IdP is incorrect or no longer valid.
Mismatch in ACS URL or Entity ID: The ACS URL or Entity ID in ADManager Plus does not match what's configured in the IdP.
Incorrect user attribute mapping: The IdP is sending an unexpected attribute (e.g., mail instead of userPrincipalName).
Invalid or missing certificate: The certificate used to sign SAML responses is missing, expired, or invalid.
Time synchronization issues: The system time between ADManager Plus and the IdP server is not aligned.
Force SAML login enabled too early: Force SAML Login was turned on before completing IdP setup.
User not found in ADManager Plus: The user account doesn't exist based on the attribute received in the SAML assertion.
The identity provider is configured to support SAML 2.0.
You have administrative access to both ADManager Plus and the IdP portal.
The SAML metadata, ACS URL, and Entity ID have been correctly exchanged and configured in both ADManager Plus and the IdP.
The correct user attribute (e.g., userPrincipalName) is being sent by the IdP and matches the user accounts in ADManager Plus.
The system clocks on both ADManager Plus and the IdP servers are synchronized using NTP or another time service.
Log in to ADManager Plus and navigate to Delegation > Configuration > Logon Settings > Single Sign-On.
In the SAML Config Mode section, if you are using metadata upload the latest metadata file from your identity provider.
If configuring manually, ensure all SAML endpoints are correctly entered and match those in the IdP.
Verify that the ACS/Recipient URL and Entity ID/Issuer URL in ADManager Plus exactly match the settings in your IdP.
Check that the certificate used to sign SAML responses is valid and properly uploaded. If expired, replace it with the latest certificate from your IdP.
In the Mapping Attribute field, confirm the attribute used for user identification (e.g., userPrincipalName, mail, or sAMAccountName). Make sure the IdP sends the same attribute in the SAML assertion.
Use tools like a SAML tracer browser extension or your IdP’s test tools to inspect the SAML response and validate the attribute mapping.
Log in to your IdP's admin portal.
Confirm that the ACS URL correctly points to your ADManager Plus server.
Verify that the Audience or Entity ID exactly matches the value configured in ADManager Plus.
Ensure the SAML response is signed using the correct and valid certificate.
Ensure the user exists in ADManager Plus and matches the attribute (e.g., userPrincipalName, mail) sent by the IdP.
Verify that the system time on the ADManager Plus server and the IdP are synchronized. A time difference of more than five minutes can lead to SAML authentication failures.
Keep Force SAML Login disabled until the entire SSO setup is tested and confirmed to avoid being locked out of the application.
Use the SAML testing tools provided by your IdP to simulate logins and verify the attributes being sent.
After updating certificates or SAML endpoints, always exchange and apply the latest metadata files between the IdP and ADManager Plus.
Start testing SSO with a single, known user whose mapped attribute (like userPrincipalName) is distinct and easy to verify.
If the issue persists, contact our support team here.