If you are experiencing issues with Active Directory group membership syncing with CivicPlus groups (user permissions) when users are logging into a CivicEngage Central site via Active Directory Federation Service (ADFS), this article may guide you in troubleshooting the issue or providing the necessary information to CivicPlus Technical Support for further assistance.
If your site is connected to CivicPlus Single Sign-On and you do not have the Security Assertion Markup Language (SAML) Administration module, please reference the Custom Identity Provider (IdP) (ADFS / Okta / Azure Active Directory (AD)) Troubleshooting article.
Who can use this feature?
If you experience issues with user log-in, auto account creation, or group sync, first check to see if these features are enabled in the SAML Administration module (must be in the System Administrator group to access this module).
Below are basic troubleshooting questions that if addressed can help speed up the support process. If possible, please include the answers in your ticket to Support.
- Is the user logging in with their Active Directory credentials?
- Is the user logging in via the ADFS service login prompt?
- Is group syncing enabled in the SAML Administration module?
- Note: This module requires System Administrator permissions to access
- Which group(s) are not syncing?
- Do particular group(s) in the Group Administration module match exactly with the group name(s) in Active Directory?
- Is the user assigned group membership in Active Directory?
- Do particular group(s) show for users in the SAML diagnostics?
- Please provide response data
- Users must log in using their Active Directory log-on (username, domain\username, or username@domain), not their email
- Note: The "username" in the User Administration module is not for authentication. Authentication happens with the identity service and we sync accounts on ADFS Name ID claim value to the username in CivicPlus.
SAML Diagnostics Tool
To use the SAML diagnostics tool, log out and back in using the link, https://[httpsDomainofSite]/admin/?samldiag=ON. You must first have the Admin Login Page enabled for SAML Login to use this diagnostics tool. After logging in, look to see what information is in the Response data. You should see information for email, first name, last name, and groups there.