Why is SSO not working in ADManager Plus after setting it up with my identity provider?

Why is SSO not working in ADManager Plus after setting it up with my identity provider?

Issue description 

After configuring SSO for ADManager Plus using an identity provider (IdP) such as Okta, OneLogin, Ping Identity, AD FS, Microsoft Entra ID, or another SAML-based provider, users are unable to log in via SSO.

They may encounter issues such as:

  • Invalid SAML response

  • User not found

  • Being redirected back to the login screen without being authenticated

As a result, users cannot access ADManager Plus through their centralized identity provider, which disrupts seamless access and login experience.

Possible causes 

  1. Invalid or outdated metadata: The SAML metadata in ADManager Plus or the IdP is incorrect or no longer valid.

  2. Mismatch in ACS URL or Entity ID: The ACS URL or Entity ID in ADManager Plus does not match what's configured in the IdP.

  3. Incorrect user attribute mapping: The IdP is sending an unexpected attribute (e.g., mail instead of userPrincipalName).

  4. Invalid or missing certificate: The certificate used to sign SAML responses is missing, expired, or invalid.

  5. Time synchronization issues: The system time between ADManager Plus and the IdP server is not aligned.

  6. Force SAML login enabled too early: Force SAML Login was turned on before completing IdP setup.

  7. User not found in ADManager Plus: The user account doesn't exist based on the attribute received in the SAML assertion.

Prerequisites 

  • The identity provider is configured to support SAML 2.0.

  • You have administrative access to both ADManager Plus and the IdP portal.

  • The SAML metadata, ACS URL, and Entity ID have been correctly exchanged and configured in both ADManager Plus and the IdP.

  • The correct user attribute (e.g., userPrincipalName) is being sent by the IdP and matches the user accounts in ADManager Plus.

  • The system clocks on both ADManager Plus and the IdP servers are synchronized using NTP or another time service.

Resolution 

Step 1:  Verify SSO configuration details in ADManager Plus

  1. Log in to ADManager Plus and navigate to Delegation > Configuration > Logon Settings > Single Sign-On.

  2. In the SAML Config Mode section, if you are using metadata upload the latest metadata file from your identity provider.

  3. If configuring manually, ensure all SAML endpoints are correctly entered and match those in the IdP.

  4. Verify that the ACS/Recipient URL and Entity ID/Issuer URL in ADManager Plus exactly match the settings in your IdP.

  5. Check that the certificate used to sign SAML responses is valid and properly uploaded. If expired, replace it with the latest certificate from your IdP.

  6. In the Mapping Attribute field, confirm the attribute used for user identification (e.g., userPrincipalName, mail, or sAMAccountName). Make sure the IdP sends the same attribute in the SAML assertion.

  7. Use tools like a SAML tracer browser extension or your IdP’s test tools to inspect the SAML response and validate the attribute mapping.

 Step 2: Review settings in the IdP 

  1. Log in to your IdP's admin portal.

  2. Confirm that the ACS URL correctly points to your ADManager Plus server.

  3. Verify that the Audience or Entity ID exactly matches the value configured in ADManager Plus.

  4. Ensure the SAML response is signed using the correct and valid certificate.

 Step 3: Confirm user presence and system time 

  1. Ensure the user exists in ADManager Plus and matches the attribute (e.g., userPrincipalName, mail) sent by the IdP.

  2. Verify that the system time on the ADManager Plus server and the IdP are synchronized. A time difference of more than five minutes can lead to SAML authentication failures.

Tips 

  • Keep Force SAML Login disabled until the entire SSO setup is tested and confirmed to avoid being locked out of the application.

  • Use the SAML testing tools provided by your IdP to simulate logins and verify the attributes being sent.

  • After updating certificates or SAML endpoints, always exchange and apply the latest metadata files between the IdP and ADManager Plus.

  • Start testing SSO with a single, known user whose mapped attribute (like userPrincipalName) is distinct and easy to verify.

How to reach support 

If the issue persists, contact our support team here.

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to enable SSO in ADManager Plus

                      ADManager Plus offers a built-in option to configure Active-Directory-based SSO to access or log in to it. This SSO option supports both NTLMv2- and SAML-based authentication. Steps to configure SSO to log in to ADManager Plus Click the Delegation ...
                    • SSO setup in ADManager Plus fails with errors after authentication

                      Issue description After configuring single sign-on (SSO) for ADManager Plus using an identity provider (IdP), such as Okta, Active Directory Federation Services (AD FS), Entra ID, or any SAML-compliant provider, users may encounter errors like: An ...
                    • How do I configure Okta SSO using ADManager Plus?

                      Objective This article explains how to integrate Okta with ADManager Plus using SAML 2.0 to enable secure SSO. This integration allows users to log in to ADManager Plus using their Okta credentials, streamline access, improve authentication security, ...
                    • Duplicate SSO login attribute causing SAML error in ADManager Plus

                      Issue description When attempting to log in to ADManager Plus using SAML authentication, users may encounter the following error: Login failed. The SSO login attribute value "user@example.com" is not unique within the domains configured in ADManager ...
                    • Error: Sorry, an error occurred in SAML Login during SSO redirection from ADManager Plus to the IdP

                      Issue description When attempting to log in to ADManager Plus using SAML Single Sign-On (SSO), users may encounter the following error message: "Sorry, an error occurred in SAML Login" ; "Please check the SAML Authentication configuration". This ...