Troubleshooting
You can find SSO logs in the Admin Console in Settings → General → SSO Logs. These logs often contain information which will help you resolve the issue.
If you continue to have issues configuring SSO, please contact our Support team by clicking the Support bubble in the bottom-right of this page. Where applicable, please include your instance URL, SSO method, IdP, and any other relevant information in your message.
- Your Token Signing Certificate must be DER or PEM encoded. This encoding usually produces a certificate file with .DER, .CRT, or .CER extension attached. If you have a .KEY certificate, this will not work and you will need to convert it.
Note: You may need to connect the UserVoice support agent with your IdP Admin to help you resolve the issue, but the support agent will let you know if that’s required.
Common errors
Error Message | Explanation | Action |
---|---|---|
Invalid Resource | The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration. |
Remove trailing slashes (‘/’) from URLs in your Microsoft Entra ID (formerly Azure Active Directory) UserVoice application Single sign-on → Basic SAML Configuration settings. |
Fingerprint mismatch | The certificate used to sign a SAML assertion didn’t match with the uploaded certificate. | Make sure you uploaded the correct certificate. If the error persists, create a new signing certificate in Entra ID and try again. |
Current time is on or after NotOnOrAfter condition | The SAML assertion has a NotOnOrAfter timestamp that is earlier than the clock of the SP (UserVoice). | Ensure the time and timezone settings are accurate in your Identity Provider. Also, make sure the SAML assertion is fresh and that the NotOnOrAfter timestamp is not set to be too early in the future. |
Current time is earlier than NotBefore condition | The SAML assertion has a NotBefore timestamp that is later than the clock of the SP (UserVoice). | Ensure the time and timezone settings are accurate in your Identity Provider and also make sure the NotBefore timestamp is not set in the future. |
SAML Remote endpoint not set | The SSO Remote Sign-In URL is not configured. | Set the SAML sign-in URL of your Identity Provider as explained in step 2. |
SAML certificate fingerprint not set | The SAML token signing certificate fingerprint is not set. | Upload the token signing certificate of your Identity Provider as explained in step 2. |
Invalid Signature on SAML Response | The signature/entity ID does not match the expected value or is not present. | Verify the Identifier , EntityID values are incorrect. Check that you are sending the signature along with the assertion (signed SAML Assertion). Double check the signature/signing cert. matches the fingerprint/cert. you uploaded into UserVoice. Make sure you are using a Token Signing cert. |
Azure IdP Sign-out Error: AADSTS750054 "Sorry we're having trouble signing you in." | The sign-out URL is the same as the login URL which expects single sign-out to be implemented. UserVoice is not compatible with single sign-out. | You must use the federated sign out URL instead. Set the following as your SSO remote sign-out URL, https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 |