If you enable SSO but then can't log in using SSO, you can use the local login to regain access. This is only available to users with the Tenant admin user role. See our knowledge base article, Rescue URL for tenant administrators.
If you use SAML to authenticate and authorize your users for single sign-on, you can add the URL address to your identity provider and upload certificates and keys.
Troubleshooting
Applaud doesn't require you to sign, encrypt and decrypt the request and response to use SAML. However, Applaud supports this if you want to. You need to make sure you configure your Identity Provider (IDP) correctly for this to work without error. Here are some errors you might encounter and how to correct them.
Invalid signature
If you try to verify the signature of the SAML assertion and receive an error for an invalid signature, you need to either make sure at least one of the response and assertion signatures is set as "Signed" in your IDP or don't verify the signature.
Invalid signature from encrypted assertion
If you try to verify the SAML assertion signature with the wrong certificate, you'll receive an "Invalid signature from encrypted assertion" error. Check and make sure you use the certificate given by your IDP. This is most likely an X.509 certificate.
No decryption key for encrypted SAML response
If you don't use the decryption key for the encrypted response from IDP, you'll receive the error: "No decryption key for encrypted SAML response."
Example IDP setup for making the response encrypted:
-
Assertion Encryption: "Encrypted"
-
Encryption Certificate: "server.crt (CN=O=Internet Widgits Pty Ltd, ST=Some-State, C=IN)"
-
Encryption Algorithm: "AES128_CBC"
-
Key Transport Algorithm: "RSA_15"
The certificate, in this case, "server.crt," a public key uploaded in the IDP, is used to encrypt the response. So you need to make sure you use the corresponding private key certificate for decryption.
If you use the wrong certificate to decrypt the response, you'll receive the "Encryption block is invalid" error. Make sure you use the matching private key. This might also occur even if you use the correct key but the encrypted block has been modified.
Azure Error - AADSTS75011
If you've configured Azure AD SSO and users are seeing this error message, you need to remove the optional value, RequestedAuthnContext. You can do this by selecting the option on the Settings page in the Applaud platform. Read more about this error in Microsofts help article, Authentication method mismatch.