Who is this article for?

Users unable to sign in to Hub with Corporate ID and Administrators managing Hub users.

Administrator permissions required to access the Hub Admin Console.

This article answers commonly asked questions about signing in to Ideagen Hub using a corporate identity provider. 

Check sign in

To troubleshoot and fix the IdP configuration errors, you'll need Administrator permissions.

First, check if anyone else can sign in to Hub:

• If anyone can sign in, make sure they are a Hub Administrator who can access the Admin Console from the top-left menu.
• If no Administrators can sign in, please get in touch with Ideagen Support to create a break-glass Administrator account. You will need to provide a unique username for this account, and you can use the same email address as an existing Administrator account.

You may also need your IT Administrator's help to confirm your corporate identity provider settings as it is possible that the configuration needs to be resolved at your identity provider.

PreSignUp failed with error (SAML/OIDC)

If you receive the "PreSignUp failed with error. External user does not exist in the DB. Please verify the user has been imported" error message, this indicates one of the following:

• The user has not been created or imported into Ideagen Hub with authentication type: External
• A mismatch between the values obtained from the identity provider (IdP) attributes mapping and the user details imported or created in Hub user management.
• If you are using OIDC configuration, this could be due to an incorrect scope configuration

To resolve the error:

1. Go to Admin Console.
2. Select User Management.
3. Click Edit on the affected user's record.
4. Ensure the authentication type is set to External.
5. Note the username and email address values.
6. Go to Admin Console.
7. Select Security Center.
8. Go to Authentication, External IdP configuration.
9. Click Configure.
10. Click Edit to check the settings for the identity provider you are attempting to use.
11. Ensure the mapped attributes from the identity provider contain the same values as the username and email address set up for the affected user in User Management. This applies whether you are using SAML or OIDC configuration.

12. For OIDC configuration, check if you have configured the required authorized scope.  Ideagen Hub only populates openid by default. You will need to populate the additional scope as required, separated with spaces.

13. Click Apply configuration to save any changes.

Request sent by client is not signed (SAML)

You may encounter the following error message is an example when you use Microsoft Entra as your identity provider. (Other identity providers may produce an equivalent message):

This indicates that the Require verification certificates option is enabled in Microsoft Entra but the Sign SAML requests to this provider option is disabled in Ideagen Hub.

To resolve this error:

1. Go to Admin Console.
2. Select Security Center.
3. Go to Authentication, External IdP configuration.
4. Click Configure.
5. Click Edit to check the settings for the identity provider you are attempting to use.
6. Ensure the Sign SAML requests to this provider checkbox is checked on.
7. Click Apply configuration to save any changes.

No certificate for verification configured (SAML)

You may encounter the following error message is an example when you use Microsoft Entra as your identity provider. Other identity providers may produce an equivalent message.

This indicates that the signing certificate has not been uploaded to your identity provider application for Ideagen Hub.

To resolve this error:

1. Go to Admin Console.
2. Select Security Center.
3. Go to Authentication, External IdP configuration.
4. Click Configure.
5. Click Edit to check the settings for the identity provider you are attempting to use.
6. You can Download signing certificate from Hub.

Then, proceed to your identity provider app to import the signing certificate.

Responses must contain exactly one Encrypted Assertion (SAML)

If you receive the "Invalid SAML response received: Responses must contain exactly one Encrypted Assertion" error, this indicates one of the following:

• The SAML encryption is enabled in Hub but not at your Identity Provider settings 
• You have not imported a valid encryption certificate from Hub for your Identity Provider app. 

To resolve this error:

1. Go to Admin Console.
2. Select Security Center.
3. Go to Authentication, External IdP configuration.
4. Click Configure.
5. Click Edit to check the settings for the identity provider you are attempting to use.
6.  If you do not require encrypted SAML assertions, the "Require encrypted SAML assertions..." checkbox should be checked off.
7. If you require encrypted SAML assertions, the "Require encrypted SAML assertions..." checkbox should be checked on.

7. Scroll to the top of the SAML Configuration screen to Download encryption certificate. 

7. Click Apply configuration to save any changes.

If encrypted SAML assertions is required, proceed to your identity provider app to import the encryption certificate.

Logout response error (SAML)

The following error will be observed if single sign-out is enabled for a Microsoft Entra SAML Identity Provider (IdP): "An error was encountered with the requested page."

Although Hub's authentication provider, AWS Cognito, supports single sign-out, it doesn't work when using Microsoft Entra ID as the Identity Provider (IdP).

This is due to Cognito only supporting POST requests for single sign-out, whereas Entra ID only supports GET requests, which causes an incompatibility between the two services.

Invalid Client Secret Provided (OIDC)

You may encounter the "Invalid Client Secret Provided..." error when the client secret configured for your IdP in Hub is invalid or has expired.

To resolve this error:

1. Go to Admin Console.
2. Select Security Center.
3. Go to Authentication, External IdP configuration.
4. Click Configure.
5. Click Edit to check the settings for the identity provider you are attempting to use. This should be an OIDC provider.
6. Populate the Client Secret field with the correct value from your identity provider.
7. Click Apply Configuration to save any changes.

Incorrect platform type (OIDC)

If the redirect URL has been added to Microsoft Entra as a single-page application, when a user attempts to sign in, they will encounter the "AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption." error.

If the redirect URL been added to Entra as a Mobile and desktop application, when a user attempts to sign in, they will encounter the "Ideagen-Entra-OIDC Error - 401 invalid_client AADSTS700025: Client is public so neither 'client_assetion' nor 'client_secret' should be presented." error.

When adding the redirect URL in Microsoft Entra, you need to ensure that you have selected Web applications as the Platform type.

Missing signing key for custom attribute (OIDC)

If you have customised the claims in your application's token, but the application has not been configured to explicitly allow these modifications, the user will encounter the "Ideagen-Entra-OIDC Error - 400 invalid_request AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid." error when attempting to sign in.

If the application is a single-tenant application, the simplest solution is to update the application manifest to acknowledge the modified claims as follows.

To update the manifest:

1. Sign in to the Microsoft Entra admin center or Azure Portal.

2. Navigate to App registrations and select your application.

3. On the left menu, click Manifest.

4. Find the property "acceptMappedClaims" and change its value from null to true.

5. Click Save.

Further reading

• Configuring single sign-on (SSO) for Ideagen Hub
• Setting up Microsoft Entra for SAML-based Single Sign-On (SSO)
• Setting up Google Workspace for Single Sign-On (SSO)