Single Sign On

Troubleshoot Single Sign-On (SSO) issues for Turbo Server users.

For configuration steps, see the Authentication Method section.

---

Azure Active Directory

unsupported_response_type

Problem

• The application registration is missing the implicit grant required to issue ID tokens.

Solutions

• Enable ID tokens for the app registration. See Configure Azure AD.

Related

• Azure AD OpenID Connect

access_denied

Problem

• The application registration lacks the required API permissions.

Solutions

• Grant User.Read and Directory.Read.All permissions in the app registration. See Configure Azure AD.

Related

• Azure AD OpenID Connect

In _validateResponse: jwt is not active

Problem

• The system clock on the server is out of sync, invalidating the token.

Solutions

• Correct the server clock and restart the Turbo service.

Related

• Azure AD OpenID Connect

In collectInfoFromReq: invalid state received in the request

Problem

• The login response state does not match the value expected by the Portal.

Solutions

• Close other tabs with active logins and start a new Portal login.
• Complete the login within the one-hour request lifetime.
• Limit concurrent logins; only five are allowed per user at once.
• Wait for Portal service restarts to finish before retrying.
• Clear an invalid connect.sid cookie:
  • Chrome: chrome://settings/siteData, search for your Portal hostname, then Remove All.
  • Firefox: about:preferences#privacy > Manage Data, search the hostname, then Remove All Shown.
  • Edge: edge://settings/siteData, search the hostname, then Remove All.

Related

• Azure AD OpenID Connect

In _authCodeFlowHandler: failed to redeem authorization code

Problem

• The authorization code cannot be exchanged because of a configuration mismatch.

Solutions

• Verify the return URL matches the Portal return endpoint.
• Confirm the configured secret matches the app registration secret. See Configure Azure AD.

Related

• Azure AD OpenID Connect

Response_type 'id_token' is not enabled for the application.

Problem

• Error AADSTS700054 indicates ID tokens (used in implicit and hybrid flows) are disabled.

Solutions

• Enable ID tokens under Authentication > Implicit grant and hybrid flows in the app registration.

Related

• Azure AD OpenID Connect

Turbo Server

Login failed: Missing name ID

Problem

• Turbo Server cannot create the user because no name ID is present.

Solutions

• Ensure the SAML subject returns nameID or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
• If Attribute Mapping is configured, confirm it points to an existing attribute from the IdP.
• See provider guides for claim setup: Azure AD or ADFS.

Related

• SAML 2.0

Login failed: Missing Email claim

Problem

• The identity provider did not return the email claim.

Solutions

• Configure the provider to return the email claim. See Configure Azure AD for OpenID Connect setups.

Related

• OpenID Connect

Login failed: Missing sub claim

Problem

• The identity provider did not return the required sub claim.

Solutions

• Update the IdP to include the sub claim. See OpenID Connect for required claims.

Related

• OpenID Connect

Failed to load OpenID provider metadata

Problem

• The Portal cannot load OpenID Provider Metadata from the configured URL.

Solutions

• Confirm the Provider Metadata URL is correct and reachable from the Portal server.
• For Azure AD, verify the settings in Configure Turbo Server.

Related

• OpenID Connect

Your SSO tenant with ID "xxxx" is not approved for login.

Problem

• Login fails because the tenant ID is not in the accepted list.

Solutions

• Update the accepted tenant list in Users > Authentication Method. See Administering Authentication Method.

Related

• Authentication Method

privateKey is required

Problem

• The authentication request cannot be signed because the Request Signing Private Key is missing.

Solutions

• Confirm the Request Signing Private Key is set under Users > Authentication.
• If request signing is not needed, disable Request Signing in the same section.

Related

• SAML 2.0

error:1E08010C:DECODER routines::unsupported

Problem

• The authentication request cannot be signed because the private key is invalid.

Solutions

• Replace the Request Signing Private Key with a valid key in Users > Authentication.
• Disable Request Signing if your setup does not require it.

Related

• SAML 2.0

User creation failed (401)

Problem

• The Portal cannot create the user because authentication failed.

Solutions

• Restart the Turbo service on the Portal server to refresh API keys and settings, then retry.

Related

• Authentication Method

User creation failed (503)

Problem

• The Portal cannot create the user because the API service is restarting.

Solutions

• Wait a few minutes for the API service to come online, then retry.

Related

• Authentication Method

Login failed (401)

Problem

• Authentication failed during login.

Solutions

• For Azure AD OpenID, ensure these API permissions are added: Microsoft Graph > Delegated permissions > User > User.Read and Directory > Directory.Read.All.
• For SAML, confirm Signing Certificate Thumbprint and Signing Certificate Common Name are correct and the signing certificate is installed on the Hub server. See Configure Turbo Server.

Related

• Azure AD OpenID Connect
• Azure AD SAML

Login failed (503)

Problem

• Login fails because the API service is restarting.

Solutions

• Wait for the API service to finish restarting, then attempt login again.

Related

• Authentication Method

Login failed (404)

Problem

• The user cannot be found in the SSO directory service because the account already exists in another directory.

Solutions

• Delete the existing user with the same login name in the conflicting directory service, then retry the SSO login.

Related

• Authentication Method