SSO FAQ & Troubleshooting Guide

Organization Owner

I set up App Infrastructure Protection (AIP) and invited a user through my Identity Provider (IdP) and they can’t get in.

An IdP invitation does not replace the need for an AIP invitation. You have to provision users in IdP and send them an invitation through AIP.

Why did I lose access to organizations, in which I am a user, after I converted the organization I own to SSO?

For security reasons, AIP does not allow users to authenticate into multiple organizations that have different authentication protocols.

If you are a user of multiple organizations that have different authentication protocols, and you convert the organization you own to SSO, AIP removes you from the other organizations.

Why was a user revoked from my organization after I converted it to SSO?

For security reasons, AIP removes a user from the SSO converted organization if that user belongs to an AIP Organization in which the authentication protocol differs from that of the organization being converted.

Everyone

Why can't I send a user an invite to my AIP organization?

For security reasons, AIP will not send an invitation to users that have been identified as outside of your IdP.

When I enter my email, I am automatically logged in, but not as the user with the email I entered into the sign-in. Why does this happen?

Identity Providers cookie very aggressively. If you, or someone else, has logged in as a different user, and that user also exists in AIP, your IdP automatically tells AIP to log you in as the user associated with your current IdP session.

To fix this and login as yourself, you can:

  • Open a new incognito window
  • Clear your cookies at the IdP and AIP

Identity Providers typically support mappings from a user in the Identity Provider to an email address for a user in the Service Provider (AIP). Using custom mappings, an email address in the IdP can be mapped to a user with a different email address in AIP.

We recommend that users use the same email address in your IdP as in AIP.

We enabled SSO for AIP, why am I getting redirected to log in through the basic AIP log in page?

As part of the authentication process, AIP uses cookies and you may still be cookied to through the OAuth authentication path.

We recommend that you:

  • Open a new incognito window
  • Clear your cookies at the IdP and AIP

Why am I stuck at the AIP login page?

Use case: I entered my email, was redirected to my IdP, and I logged in successfully. I was redirected to AIP and now I'm stuck at the login page.

You may not have received an invitation to AIP for your SSO email address. Have your Organization Owner send you a AIP invitation so you can create a new account associated with you SSO email address..

If no one in your organization can access AIP, this suggests that the SSO was misconfigured for your AIP Account and you should contact our support team.

Why am I stuck in an infinite loop between my IdP and AIP?

This suggests that the AIP IdP application was misconfigured, particularly the ACS Redirect Url. Contact your identity provider admin to check IdP configurations.

I have multiple organizations. How do I convert them all to SSO?

At this time, converting multiple organizations to SSO requires help from a AIP support team member.

I was added to my IdP but I can’t login?

AIP compares users within our application to users authorized in the IdP. To access AIP you must be listed in both places, or we block you from logging in.

If the email you use for AIP does not match your email in your IdP, contact support.

I was added to AIP but I can’t login?

AIP compares users within our application to users authorized in the IdP. To access AIP you must be listed in both places, or we block you from logging in.

Why was I logged out of AIP even though I was working on something?

AIP enforces a hard eight hour session timeout for all AIP user accounts, regardless of your activity level or authentication method.

Was this article helpful?
0 out of 0 found this helpful