Skip to main content
All CollectionsTroubleshooting & Use cases Troubleshooting
Troubleshooting: SSO issues
Troubleshooting: SSO issues
Ha Ngan Nguyen avatar
Written by Ha Ngan Nguyen
Updated over a week ago

Creative Force supports integration with any SSO provider, as we are SAML 2.0 compatible.

Currently, we have detailed setup guides for the following Identity Providers (IdPs):

Okta

Microsoft Azure

Google Workspace

AD FS

Duo

OneLogin

PingFederate

If you’ve followed these setup instructions and are encountering issues, this guide will walk you through the first troubleshooting steps for common SSO issues.

As always, feel free to contact our Support team if needed.

Unable to setup new IDP in Creative Force

Invalid Metadata URL

One common issue when setting up a new IdP is due to an invalid metadata URL. The metadata document URL must be accessible in your browser and displayed as an XML document.

To get the metadata URL for configuring Single Sign-On (SSO), follow these steps based on your IDP:

Microsoft Azure

1. Log on to the Azure portal and navigate to your Azure Active Directory.

2. Select the application you want to configure SSO for.

3. Go to the Single Sign-On section.

4. Under the SAML Signing Certificate section, you will find an option to download the Federation Metadata XML. This XML file contains the metadata URL you need.

Okta

1. Log on to the Okta portal and navigate to Okta Admin Dashboard.

2. Select the application you want to configure SSO for.

3. Go to Sign-on tab

4. Under SAML Signing Certificates section, you will find Actions > View IDP Metadata. You should be able to get the URL from there.

​Google Workspace

1. Log on to the Google Workspace portal and expand “Apps” then select “Web and mobile apps”.

2. Select the application you want to configure SSO for.

3. Click DOWNLOAD METADATA.

​ADFS

You can download the “Federation Metadata” file from the link: <your-adfs-domain>/FederationMetadata/2007-06/FederationMetadata.xml.

Important note: After changing any config ADFS, the Federation Metadata file will be changed so the user needs to update the Metadata file to SSO Config in Gamma or Federation Metadata public URL to ensure that CF will use the latest Federation Metadata file.

Duo

1. Log on to the Duo Admin Panel and navigate to Applications.

2. Click Protect an Application and locate the entry for Generic SAML Service Provider with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect on the far-right.

3. Under the Metadata section, copy the Metadata URL.

OneLogin

1. Log in to the developer admin console of Onelogin.

2. Click menu Applications/Applications and choose your App Integration.

3. Click dropdown “More Actions”, and choose “SAML Metadata” to download metadata.

PingFederate

Follow up to step 43 in our PingFederate guide.

Missing SCIM Bearer token

The SCIM Bearer token is not available during the setup process, it will only be generated after you click ‘Save’ on the setup dialog and refresh the page:

Cannot log in to Creative Force via SSO login

Invalid token

This error is often due to incorrect attribute mappings.

Review our attribute mapping guidance in the IdP setup articles. For example, in PingFederate (step 15), ensure the required attribute is mapped to a valid email address.

To check if attributes are mapped correctly, follow these steps to capture the SAML response and share it with our Support team:

  1. Open Chrome and press F12 to open Developer Tools.

  2. Go to the Network tab and select Preserve log.

  3. Log in to Creative Force using SSO.

  4. In the Filter box, input idpresponse.

  5. Find the request with the SAML response and click it.

  6. Go to the Payload tab to view the SAML response.

  7. Copy the SAML response and share it with our Support team

Incorrect provider email

This issue usually occurs when users share computers or devices. Here's an example scenario:

  1. User A logs in to Creative Force using SSO, and the user is led to log into the IdP. The user then logs out of Creative Force but not the IdP.

  2. User B tries to log in to Creative Force using SSO but sees the error message: “The provider email does not match.”

To avoid this, try below options:

  • Clear your browser’s cache

  • Ask the previous user to log out of the IdP

  • Use a different browser or Incognito mode to log in to Creative Force via app.creativeforce.io

  • Alternatively, log in to Creative Force directly from the IdP

Users are not created in Creative Force, after being added to the IDP

Once your IdP is integrated with Creative Force, users added to the IdP should sync automatically to Creative Force - only if your IdP supports SCIM provisioning.

  • New Users to Creative Force: Set up new users in your IdP, and their accounts will sync to Creative Force. You can configure their employment type, user groups, and skills in the below setup.

  • Existing Users in Creative Force: You can add them to the IdP, and they can log in with either SSO or credentials (if SSO isn’t enforced).

Note: If you enforce SSO login, it will take effect the next time the user logs in. on the user’s next login. Creative Force will not log them out immediately.

Cannot log in to Creative Force directly from IDP

A common error is: “Required String parameter RelayState is not present.”

To avoid this, ensure the RelayState is correctly configured in your IdP by copying the RelayState from Creative Force’s setup instructions.

For more details on logging in directly from your IdP, refer to our detailed Set up Guide

For further troubleshooting, contact our Support team. We're here to help!

Related Articles
How to set up Single Sign-On within Creative Force
Setup SAML SSO with Google Workspace
SSO: Log in directly from user's IDP
Setup SAML SSO on Duo - part 2
Setup SAML SSO on PingFederate
Did this answer your question?