Troubleshoot common SSO errors in Lansweeper Sites

Single Sign-On (SSO) integration can streamline access to Lansweeper Sites, but misconfigurations or incomplete setups may lead to issues.

This article provides a comprehensive list of common SSO-related errors, their causes, and step-by-step solutions to resolve them effectively. Whether it's verifying domains, resolving login issues, or troubleshooting configuration mismatches, you'll find actionable guidance to ensure a seamless SSO experience.

1. Error in your email verification

Message: Your email verification is still pending, please verify now. Click here to resend email.
Cause: Manual email verification is not required/expected/possible.
Solution: When SSO is set up for Lansweeper Sites, it needs to be configured with the attribute email_verified = true. For more information on how to set up Lansweeper SSO, see Set up Lansweeper SSO.

2. Oops! Something went wrong

Message: There could be a misconfiguration in the system or a service outage.
Possible cause: You are trying to log in from your IdP, but the setting "Enable IdP-initiated single sign-on" is not enabled in Lansweeper settings.
Solution: Enable the "IdP-initiated single sign-on" option in Lansweeper's SSO connection settings.

3. Prompt to create a new Site when SSO is enabled

Cause: Users from a domain where SSO is set up are prompted to create a new site because they need to be invited to the Site and accept the invitation within 24 hours.
Solution: Cancel any pending invitations and send new invitations to affected users. For more details, see SSO Users Are Prompted to Create a New Lansweeper Site.

4. Continuous loop or page refresh on the sign-in screen

Cause: The Sign-In URL is incorrect in your Lansweeper SSO setup.
Solution: Copy the Login URL from your app’s SSO configuration and paste it into the Sign-In URL field in Lansweeper’s SSO Connection settings.

5. Account Linking Was Not Completed

Message: "Account linking was not completed. Please log in with SSO and try to link your accounts again. If the problem persists, contact your administrator."
Cause: Failure to link multiple identities on the Lansweeper side.
Solution: Log a support portal case and provide the email address associated with the multiple identities so the support team can resolve the issue by merging them.

6. Cisco Duo issue: missing email attribute

Message: "Your identity provider is not sending your email, so we cannot complete your access to Lansweeper. Contact your administrator to adjust the settings."
Cause: Incorrect or missing mapped attribute.
Solution: Under Map Attributes, set the IdP attribute <E-mail Address> to the SAML Response attribute email.

7. Domain verification fails after creating a TXT record

Message: "The domain could not be verified successfully."
Cause: The DNS TXT record may not have been created correctly.
Solution:

• Ensure the TXT record is created at the root of your domain (not a subdomain).
  For example:

  Type	Domain	TTL	Record
  TXT	http://lansweeper.com/	30 min	09FB543B8C...

• Confirm the DNS record is publicly visible using a tool like MxToolbox.

8. Audience is invalid

Message: "Audience is invalid. Configured: urn."
Cause: A mismatch between the Entity ID in Lansweeper’s SAML connection and the IdP settings.
Solution: Add the Entity ID from Lansweeper’s SSO setup to the Audience Restriction field in your IdP’s SAML settings.

9. Error creating the connection

Possible cause: Web filtering may block the upload of the certificate file, causing an error in the UI.
Solution:

1. Open developer tools in your browser:

   • Chrome: Right-click and select Inspect.
   • Firefox: Go to Web Developer > Toggle Tools.
   • Edge: Go to More Tools > Developer Tools.
2. Attempt to create the SSO connection again and capture network traffic for troubleshooting.
3. Log a support portal case and include error messages or network request details.

10. AADSTS700016: Application not found

Message: "Sorry, but we're having trouble signing you in."
Cause: Mismatch between the Entity ID in Lansweeper’s setup and Azure AD SSO configuration.
Solution: Verify that the Entity ID in Lansweeper matches the corresponding field in your IdP’s SSO app.

11. "SSO is not enabled for your domain"

Message: You successfully configured and tested SSO but still receive an error when logging in with your email address.
Cause: The incorrect domain may be enabled for SSO.
Solution: Ensure the correct domain name is enabled under Settings > Single Sign-On in your Lansweeper Site.

12. Invalid thumbprint error

Message: "Invalid thumbprint."
Cause: A bug in Lansweeper Sites causes Azure-generated certificates to fail.
Solution:

1. Generate a new certificate in Azure AD.
2. Export the certificate in PEM format.
3. Import the PEM certificate into Lansweeper’s SSO configuration.

Additional tips and tricks

• By default, the user who sets up SSO for a domain becomes the SSO Connection Manager. To add additional managers, follow the instructions here.