Problems and errors:
Following you find a list of problems or errors you might encounter during your SSO setup and possible solutions:
Error during token exchange: The remote server returned an error: (401) Unauthorized.
Reason 1:
The secret key is wrong.
Solution 1:
Check you are using the correct key and not using the key id instead of the value (Azure)
Reason 2:
Your token endpoint method is not set to POST.
Solution 2:
Check your Token Endpoint Authentication Method. If it is set to none or Client Secret Basic (GET) change it to POST.
Error during token exchange: The remote server returned an error: (400) Bad Request.
Reason:
The identity provider is in an instable state, e.g. short after changing configuration.
Solution:
Wait some minutes and try again.
Missing email / upn claim
Reason:
The claim from your SSO doesn’t contain either email or upn.
Solution:
Make sure your SSO provider sends email and/or upn with the claim.
Azure: users synchronized via AD connect from an on-prem Active Directory might not have the email attribute set, please make sure this is set for all users using Cameyo.
Error: access_denied: User is not assigned to the client application.
Reason:
The user is not allowed to use the Cameyo SSO app.
Solution:
Within your identity provider, make sure that user is assigned/has rights to use the Cameyo SSO app.
Failed: Registration: Maximum number of users exceeded error
Reason:
The number of Cameyo users has exceeded and somebody wants to login through SSO for the first time
Solution:
Purchase additional Cameyo licenses
Failed: Registration: [email protected]: unauthorized ID for domain :mycompany.com:
Reason:
Only mycompany.com is registered as Identity domain but mycompany.org isn't.
Solution:
Request adding the missing identity domain at [email protected]
Failed: You must be invited by an administrator
Reason:
In your company settings you have set "[x] Invited users only"
Solution:
Either invite the user through adding it on the user page or disable "[ ] Invited users only"
Error: Object reference is not set to an instance of an object.
There could be different reasons for this which we don’t know yet.
Reason 1:
One we know is: if the user’s email is different from his upn (Azure)
Solution 1:
Make sure your Azure user’s email is corresponding to the user’s upn
Error: invalid_request: PKCE code challenge is required by the application.
Reason:
In the app configuration of your identity provider, you enabled “Require PKCE” or something similar, which is not supported by Cameyo.
Solution:
Disable the requirement of PKCE in your app configuration.
Okta:
Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://dev-12503311-admin.okta.com/admin/app/oidc_client/instance/<youroktaid>#tab-general
Reason:
The Sign-in redirect URI [Applications > Cameyo > General > General Settings > Login] is not (or not correct) configured.
Solution:
Make sure you always configure https://online.cameyo.com/oidc , no matter what subdomain you are using!
Azure:
AADSTS700016: Application with identifier '32f85d39-8d7a-4e7d-9849-6022c83c5ab2' was not found in the directory 'Your directory name'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Reason:
The Client id is not correct resp. does not exist in this tenant.
Solution:
Make sure you copied the correct client id / application id from your SSO provider, and you are connected to the right tenant (id).
AADSTS50011: The redirect URI 'https://online.cameyo.com/oidc' specified in the request does not match the redirect URIs configured for the application '32f85d39-8d7a-4e7d-9849-6022c83c5ab2'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Reason:
You configured a wrong redirect URI in your SSO provider’s application.
Solution:
Make sure you always configure https://online.cameyo.com/oidc , no matter what subdomain you are using!
Error: invalid_client: AADSTS650053: The application 'Cameyo SSO' asked for scope 'groups' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: c280c64d-77b5-4e1d-bb7f-a849b6d50800 Correlation ID: 484df405-26b7-40df-948b-7dc8703dbaba Timestamp: 2023-06-28 15:41:49Z.
Reason:
You configured the PowerTag !SSO_MEMBEROF_SCOPE=1 but didn't properly configure the claims.
Solution:
Either remove the PowerTag or make sure you configured the scopes accordingly and gave enough rights in Microsoft Graph.
The ID 00000003-0000-0000-c000-000000000000 relates to Microsoft Graph.
Need admin approval
Reason:
Azure is configured to require admin approval for the SSO application.
Solution:
Follow the following article: Admin approval needed on Azure SSO login
Testing:
You can test your configuration outside of Cameyo with the following page:
Prepare as follows:
- Add https://openidconnect.net/callback to the redirect URIs of your SSO provider’s Cameyo application
you don’t need to remove https://online.cameyo.com/oidc! - Copy the Issuer URL from your Cameyo company page and add /.well-known/openid-configuration
e.g. https://cameyo.okta.com -> https://cameyo.okta.com/.well-known/openid-configuration - Go to the following page: https://openidconnect.net
- Click CONFIGURATION
- Select “Custom” server template
- Enter the openid-configuration URL created in #2 into the “Discovery Document URL” and click USE DISCOVERY DOCUMENT
- Enter Client ID and Client Secret
- Enter openid email to the Scope field
- SAVE the configuration
- Click START and follow the instructions on the website
To be continued…