← All Articles

Troubleshooting SSO Login Issues

troubleshooting beginner

If you are unable to log in to SecureAI through your organization's Single Sign-On (SSO) provider, work through the following sections to identify and resolve the issue.

Redirect Loop After SSO Login

Symptom: After authenticating with your identity provider, the browser cycles between the SSO provider and SecureAI without ever reaching the dashboard.

Causes and Fixes:

  1. Mismatched callback URL. The callback (redirect) URL configured in your identity provider must exactly match the one SecureAI expects.

    • In your identity provider (Okta, Azure AD, Google Workspace, etc.), verify the authorized redirect URI is set to https://<your-secureai-domain>/oauth/<provider>/callback.
    • Trailing slashes matter. https://example.com/oauth/oidc/callback and https://example.com/oauth/oidc/callback/ are treated as different URLs.

  2. Browser cookies blocked or expired. SSO relies on session cookies to complete the handshake.

    • Clear your browser cookies for both your SSO provider domain and your SecureAI domain.
    • Ensure third-party cookies are not blocked if your SSO provider and SecureAI are on different domains.
    • Try an incognito/private window to rule out browser extensions interfering.

  3. Clock skew. If the server or your device clock is significantly out of sync, SAML assertions or OIDC tokens may be rejected as expired.

    • Verify your device time is accurate (Settings > Date & Time > Set Automatically).
    • Ask your administrator to verify the SecureAI server time is synchronized via NTP.

Certificate Mismatch (SAML)

Symptom: Login fails with an error referencing an invalid signature, certificate, or trust chain. Some providers show "Response signature verification failed."

Causes and Fixes:

  1. Expired or rotated IdP certificate. Identity providers periodically rotate their signing certificates. If the new certificate was not uploaded to SecureAI, signature verification fails.

    • Ask your administrator to download the current signing certificate from the identity provider and update it in SecureAI's SAML configuration (Admin Panel > Settings > SSO > SAML Certificate).

  2. Wrong certificate uploaded. Some identity providers offer multiple certificates (signing vs. encryption). SecureAI requires the signing certificate.

    • In your IdP metadata, look for the certificate with use="signing". Upload that certificate only.

  3. Self-signed certificate not trusted. If your identity provider uses a self-signed certificate, the SecureAI server must be configured to trust it.

    • Ask your administrator to add the certificate to the server's trusted CA store or upload it in SecureAI's SSO settings.

Domain Restriction Errors

Symptom: SSO authentication succeeds at the identity provider, but SecureAI rejects the login with a message like "Email domain not allowed" or "User not authorized."

Causes and Fixes:

  1. Email domain not in the allowlist. SecureAI can restrict logins to specific email domains. If your email domain is not listed, access is denied.

    • Ask your administrator to add your email domain to the allowed domains list (Admin Panel > Settings > SSO > Allowed Domains).

  2. User account not pre-provisioned. Some organizations disable automatic account creation via SSO. If your account does not already exist in SecureAI, the login is rejected.

    • Ask your administrator to either create your account manually or enable automatic provisioning (Admin Panel > Settings > SSO > Auto-Provision Users).

  3. Group or role mapping mismatch. If your organization maps SSO groups to SecureAI roles, your identity provider account may lack the required group membership.

    • Verify with your IT team that your SSO account is in a group that maps to a SecureAI role.

MFA Conflicts

Symptom: Multi-factor authentication prompts fail, loop, or block login entirely when using SSO.

Causes and Fixes:

  1. Duplicate MFA enforcement. If your identity provider enforces MFA and SecureAI has its own MFA enabled, users may be prompted twice or encounter conflicts.

    • When using SSO, MFA should be enforced at the identity provider level only. Ask your administrator to disable SecureAI's built-in MFA for SSO users (Admin Panel > Settings > Authentication > Disable Local MFA for SSO).

  2. MFA timeout too short. Some identity providers set aggressive session timeouts for MFA. If the MFA challenge expires before the SSO handshake completes, the login fails.

    • Ask your administrator to check the identity provider's MFA timeout settings. A minimum of 120 seconds is recommended.

  3. Authenticator app out of sync. Time-based one-time passwords (TOTP) rely on your device clock being accurate.

    • Verify your phone's date and time are set to automatic.
    • If using Google Authenticator, go to Settings > Time correction for codes > Sync now.

OIDC-Specific Issues

Symptom: OIDC login fails with errors referencing scopes, claims, or token validation.

Causes and Fixes:

  1. Missing required scopes. SecureAI requires openid, email, and profile scopes.

    • In your identity provider's OIDC client configuration, ensure all three scopes are granted.

  2. Client secret mismatch. If the client secret in SecureAI does not match the one in the identity provider, token exchange fails silently or with a generic "authentication failed" error.

    • Regenerate the client secret in your identity provider and update it in SecureAI's OIDC settings.

  3. Issuer URL mismatch. The issuer URL configured in SecureAI must exactly match what the identity provider returns in its discovery document.

    • Check the .well-known/openid-configuration endpoint of your provider and compare the issuer value with what is configured in SecureAI.

General Diagnostic Steps

If the sections above do not resolve your issue, collect the following information before contacting support:

  1. Browser console logs. Open Developer Tools (F12) > Console tab, reproduce the login attempt, and copy any errors.
  2. Network trace. In Developer Tools > Network tab, look for failed requests (status 4xx or 5xx) during the SSO flow.
  3. Identity provider logs. Most providers (Okta, Azure AD, Google Workspace) have an audit log that shows whether authentication succeeded on their side.
  4. SecureAI admin logs. Ask your administrator to check the OpenWebUI logs for SSO-related errors around the time of the failed login attempt.
  5. Exact error message. Copy the full error text shown in the browser, including any error codes.

Submit these details to your administrator or to SecureAI support for further investigation.