SSO FAQ & Troubleshooting Guide
Important
This page contains information for legacy Threat Stack customers who log into Distributed Cloud AIP using app.threatstack.com. If you log into Distributed Cloud AIP using F5 Distributed Cloud Services (F5XC), see User Management for information about configuring SSO in F5XC using Google, Azure, or Okta.
Organization Owner
I set up F5 Distributed Cloud App Infrastructure Protection (AIP) and invited a user through my Identity Provider (IdP) and they can’t get in.
An IdP invitation does not replace the need for a Distributed Cloud AIP invitation. You have to provision users in IdP and send them an invitation through Distributed Cloud AIP.
Why did I lose access to organizations, in which I am a user, after I converted the organization I own to SSO?
For security reasons, Distributed Cloud AIP does not allow users to authenticate into multiple organizations that have different authentication protocols.
If you are a user of multiple organizations that have different authentication protocols, and you convert the organization you own to SSO, Distributed Cloud AIP removes you from the other organizations.
Why was a user revoked from my organization after I converted it to SSO?
For security reasons, Distributed Cloud AIP removes a user from the SSO converted organization if that user belongs to a Distributed Cloud AIP Organization in which the authentication protocol differs from that of the organization being converted.
Everyone
Why can't I send a user an invite to my Distributed Cloud AIP organization?
For security reasons, Distributed Cloud AIP will not send an invitation to users that have been identified as outside of your IdP.
When I enter my email, I am automatically logged in, but not as the user with the email I entered into the sign-in. Why does this happen?
Identity Providers cookie very aggressively. If you, or someone else, has logged in as a different user, and that user also exists in Distributed Cloud AIP, your IdP automatically tells Distributed Cloud AIP to log you in as the user associated with your current IdP session.
To fix this and login as yourself, you can:
- Open a new incognito window
- Clear your cookies at the IdP and Distributed Cloud AIP
Identity Providers typically support mappings from a user in the Identity Provider to an email address for a user in the Service Provider (Distributed Cloud AIP). Using custom mappings, an email address in the IdP can be mapped to a user with a different email address in Distributed Cloud AIP.
We recommend that users use the same email address in your IdP as in Distributed Cloud AIP.
We enabled SSO for Distributed Cloud AIP, why am I getting redirected to log in through the basic Distributed Cloud AIP log in page?
As part of the authentication process, Distributed Cloud AIP uses cookies and you may still be cookied to through the OAuth authentication path.
We recommend that you:
- Open a new incognito window
- Clear your cookies at the IdP and Distributed Cloud AIP
Why am I stuck at the Distributed Cloud AIP login page?
Use case: I entered my email, was redirected to my IdP, and I logged in successfully. I was redirected to Distributed Cloud AIP and now I'm stuck at the login page.
You may not have received an invitation to Distributed Cloud AIP for your SSO email address. Have your Organization Owner send you a Distributed Cloud AIP invitation so you can create a new account associated with you SSO email address..
If no one in your organization can access Distributed Cloud AIP, this suggests that the SSO was misconfigured for your Distributed Cloud AIP Account and you should contact our support team.
Why am I stuck in an infinite loop between my IdP and Distributed Cloud AIP?
This suggests that the Distributed Cloud AIP IdP application was misconfigured, particularly the ACS Redirect Url. Contact your identity provider admin to check IdP configurations.
I have multiple organizations. How do I convert them all to SSO?
At this time, converting multiple organizations to SSO requires help from a Distributed Cloud AIP support team member.
I was added to my IdP but I can’t log in?
Distributed Cloud AIP compares users within our application to users authorized in the IdP. To access Distributed Cloud AIP you must be listed in both places, or we block you from logging in.
If the email you use for Distributed Cloud AIP does not match your email in your IdP, contact support.
I was added to Distributed Cloud AIP but I can’t log in?
Distributed Cloud AIP compares users within our application to users authorized in the IdP. To access Distributed Cloud AIP you must be listed in both places, or we block you from logging in.
Why was I logged out of Distributed Cloud AIP even though I was working on something?
Distributed Cloud AIP enforces a hard eight hour session timeout for all Distributed Cloud AIP user accounts, regardless of your activity level or authentication method.