If you see an error on the Envoy login screen after attempting to sign in to Envoy using SSO, you may need to check some configuration settings.
Scenario 1: SAML certificate is not valid
This may indicate that the identifiers are mis-configured for the Envoy Relying Party Trust. Check the Identifiers tab of the properties dialog and ensure that there is a single Relying Party identifier with https://app.envoy.com/a/saml/consume.
Scenario 2: SAML account not found
This error could result from a couple problems:
It may indicate that the fingerprint in the Envoy configuration is misconfigured. Make sure that you have the SHA1 fingerprint (or thumbprint) of the token-signing certificate. If you are unsure which certificate is used, you may try capturing the SAML request in the browser and decoding it to check.
It may also indicate that the SAML assertion was sent successfully, but that Envoy could not find a user that corresponds to that email address. Ensure that that the user who is logging in has an email address that is already provisioned and confirmed in Envoy.
Scenario 3: No error, just displays login screen
This may indicate that the user’s email address is not getting sent correctly. Double check that there are two Claim Rules configured to send the LDAP email address as a Name ID claim.
Scenario 4: AADSTS75011: Authentication method by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Envoy_SSO application owner.
This error is most likely due to Envoy setting 'Password, ProtectedTransport' as an exact match requirement for the authentication method through SSO. Please contact Envoy Support so that we can adjust the requirements of your specific SAML integration to set that to optional.
Note: This mostly only happens when setting up SAML through Azure AD.
If you need support
If you need to contact Envoy support, there are a few pieces of information that we’ll need to help resolve your issues.
Tell us the exact time that you tried logging in and saw an error. It helps us to be able to look up the failure in our logs. Let us know the email address of the user that is attempting to log in, so we can double check that user is in our system.
It’s also very helpful to capture the SAML request in the browser so we can compare it to what we expect. Most web browsers support a way to view the contents of a request. Here’s how to capture the request in Internet Explorer 11.
Before making the login attempt, hit F12 to open Developer Tools. Click to the Network tab, and press the green play button to start recording.
Now try to sign in. After the attempt fails, you should see many requests in the network tab at the bottom of the screen. The one we are interested in is the POST request to our SAML consume endpoint, https://app.envoy.com/a/saml/consume.
Click DETAILS and examine the Request Body. It should start with “SAMLResponse=…” followed by a bunch of encoded data.
Select this data and send it to us. You can also decode it yourself here.