If you are experiencing issues with users logging into your website through ADFS or with Active Directory group membership syncing with CivicPlus groups (user permissions) when logging in through ADFS, this article may guide you in troubleshooting the issue or providing the necessary information to CivicPlus Technical Support for further assistance.
Important Note
If your site is connected to CivicPlus Single Sign-On (SSO) and you do not have the SAML Administration module, please see the Custom Identity Provider (IdP) Troubleshooting article for more assistance
Article Navigation
Troubleshoot ADFS Login Issues
If experiencing issues with user log-in, auto account creation, or group sync, first check to see if these features are enabled in the SAML Administration module (must be in the System Administrator group to access this module).
Below are basic troubleshooting questions that, if addressed, speed up the support process. If possible, please include the answers in your ticket to Support.
- Is the user logging in with their Active Directory credentials?
- Is the user logging in through the ADFS service login prompt?
- What error does the user get when they try to log in? Please provide a screenshot.
- Does the user’s name, email address, and group information appear in the SAML diagnostics?
- Please provide Response data.
- Users must log in using their Active Directory login (username, domain\username, or username@domain), not their email.
Note: The "username" in the User Administration module is not what is used for authentication. Authentication happens with the identity service and we sync accounts on ADFS Name ID claim value to the username in CivicPlus.
Login Error Messages
Error: “Login Failed – Cannot validate SAML token.”
Cause: The signature validation certificate used to sign the ADFS SAML response does not match what is in the SAML Administration module of the website. This occurs when the ADFS Signing certificate on your ADFS server is renewed.
Fix: Update Signature Verification Certificate in the SAML Administration module of your CivicEngage Central website. If you need any assistance performing these steps, please reach out to Technical Support.
Troubleshoot ADFS Group Sync Issues
If you experience issues with user log-in, auto account creation, or group sync, first check to see if these features are enabled in the SAML Administration module (must be in the System Administrator group to access this module).
Below are basic troubleshooting questions that if addressed can help speed up the support process. If possible, please include the answers in your ticket to Support.
- Is the user logging in with their Active Directory credentials?
- Is the user logging in through the ADFS service login prompt?
- Is group syncing enabled in the SAML Administration module?
Note: This module requires System Administrator permissions to access - Which group(s) are not syncing?
- Do particular group(s) in the Group Administration module match exactly with the group name(s) in Active Directory?
- Is the user assigned group membership in Active Directory?
- Do particular group(s) show for users in the SAML diagnostics?
- Please provide response data
- Users must log in using their Active Directory log-on (username, domain\username, or username@domain), not their email
Note: The "username" in the User Administration module is not for authentication. Authentication happens with the identity service and we sync accounts on ADFS Name ID claim value to the username in CivicPlus.
SAML Diagnostics Tool
To use the SAML diagnostics tool, log out and back in with the link, https://[httpsDomainofSite]/admin/?samldiag=ON. You must first have the Admin Login Page enabled for SAML Login (must be enabled by a System Administrator in the SAML Administration module) to use this diagnostics tool. After you log in, look to see what information is in the Response data. You should see information for email, first name, last name, and groups listed there.
Article Glossary
The terms located in this section are listed alphabetically.
- ADFS: Active Directory Federation Service
- Admin: Administrator
- ID: Identification
- IdP: Identity Provider
- SAML: Security Assertion Markup Language
- SSO: Single Sign-ON
Feedback About the Article
Let us know what was helpful or not helpful about the article below.0 comments
Please sign in to leave a comment.