Troubleshoot SSO

Although SSO errors are often easy to correct, testing and debugging can be a challenge. Due to security concerns, users who are trying to log in receive only a generic message that the login was incorrect. Use the diagnostic tools within your company to view and resolve more specific errors.

Verify SSO configuration settings

Many SSO problems are the result of incorrect configuration settings. If you can't log in via SSO, Admin users can bypass SSO and log in at the regular login page using their administrator username and password.

The SSO configuration settings are found in the following areas:

See Set up single sign-on for detailed information on configuration settings.

View the Access log

The Access log is a report that records when a user attempts to log in to a company. The Access log groups data by user and then by date and time. It lists any failed SSO attempts as "Invalid Single Sign-On Access" in the sign-in result column and displays the associated error in the Description column for the applicable user.

Learn more about the Access log.

To view the Access log:

  1. Go to Company > All > Logs and select Access log.
  2. Set the applicable filters and select View.

    Intacct displays access data that matches the given criteria.

  3. Scan the Sign-in result column for "Invalid Single Sign-On Access" and see the corresponding Description information.

    See the SSO error code and resolution table for error information.

Test a user's SSO

You can test a user's SSO from the applicable user record. Intacct will open a temporary browser window and attempt to log in with SSO for the user. When the window closes, Intacct displays the results of the attempt in the text box underneath the test button. You can also view any error results from this test in the Access log.

To test a user's SSO:

  1. Go to Company > All > Users, and select Users.

    The Users list appears.

  2. Find the desired user and select Edit next to it.
  3. Select the Single sign-on tab.
  4. Select Test single sign-on.

    Another browser window appears and attempts to use SSO for the user. 

    5. If SSO is successful, the message, "SSO test was successful" appears.

    Possible errors:

    • If your company is unable to access the configured identity provider, a 404 error or an error generated by the identity provider might appear in the browser window.
    • If SSO fails due to inability to process the response from the SSO identity provider, then an error might appear in the text box below the Test single sign-on button. This error will also appear in the Access log.
    • If there's another type of connection problem, the login page might appear and the window will not close. See Other connection errors for more information.

Error codes and resolutions

The following errors might appear in either the Access log or as the result of a test user sign-in.

Error Resolution
Invalid SSO response.

Verify the settings in the Company information page. Possible solutions:

  • Verify that the SSO certificate is a valid x.509 certificate and that it matches the one from your SSO provider.

    The SSO certificate issued by your SSO identity provider might have been incorrectly copied to your company, or the original certificate might have expired.

    The x.509 certificate must be in PEM format and generated with an SHA-256 hash signature.

  • Verify that the selected Identity provider type is correct.

SSO is not enabled for this company.

The SSO set up is incomplete or never completed. See Set up single sign-on for information on how to enable SSO.

SSO is not enabled for the user <Intacct user ID>.

Edit the user record to enable SSO. See Set up individual users for detailed instructions.

User <Intacct user ID> attempted to sign in, but the federated user ID <SSO Federated id> sent from the SSO provider doesn't match the federated user ID <Intacct Federated ID> in the user's record.

Edit the user record and correct the user’s Federated SSO user ID. See Set up individual users for detailed instructions.

Other connection errors

Your company can’t capture SSO errors if any of the following conditions are true:

  • If your company can’t be found
  • If the identity provider URL can’t be found
  • If the response from the identity provider can’t be interpreted

These types of errors will not appear in the Access log or in the test user single sign-on results. The following table lists some of the errors that occur as a result of one of the above conditions:

Problem Resolution

SSO configuration data goes to the wrong or an invalid company. 

If the SSO login attempt can’t connect to your company, the failure can’t be logged to an Access log.  Check the setup for your SSO identity provider.

Setting the SSO Identify provider type incorrectly in the Company Information page.

Verify the Identity provider type in the Company information page. The options are: SAML 2.0, and SAML 2.0 with ADFS.  If the wrong setting is used, the SSO login might become confused about which company to log in to, resulting in an unlogged error.

From the single sign-on page, select Log in. The login page refreshes the user ID and Company fields and nothing happens or is displayed.

Intacct can't connect to the SSO identity provider. Verify the Login URL for your SSO identity provider in the Company information page.

The wrong SAML attributes are returned from the SSO identity provider. 

For logins initiated from the identity provider, your company expects the company ID to be returned in the SAML assertion’s Company Name attribute, and the user ID to be returned in the Name attribute. Check the setup for your SSO identity provider.