Single Sign On

This section provides information to help troubleshoot common Single Sign On (SSO) issues.

For information on how to configure Turbo Server to use SSO, please refer to the Authentication Method section.

Azure Active Directory

unsupported_response_type

Occurs when the application registration was not configured with the correct implicit grant type. Please ensure that you have configured your application registration to issue ID tokens.

See Configure Azure AD for more information on configuring the implicit grant types.

access_denied

Occurs when the application registration was not configured with the correct API permissions. Please ensure that you have configured your application configuration to grant User.Read and Directory.Read.All permissions.

See Configure Azure AD for more information on configuring the API permissions.

In collectInfoFromReq: invalid state received in the request

The login response did not return the state that was expected by the Portal.

This may occur for various reasons, for example:

The login request was invalidated by another login or logout request by the same user

To resolve, close any browser tabs with active login attempts then click on the Portal Login button to initiate a new login request.

The login took too long to complete

To resolve, click on the Portal Login button to initiate a new login request and complete the login before the time limit expires.

By default the login request expires in 1 hour.

The user exceeded the maximum number of concurrent login requests

To resolve, close any browser tabs with active login attempts then click on the Portal Login button to initiate a new login request.

By default a user can have a maximum of 5 concurrent login request.

The Portal service restarted after the user initiated the login request.

The Portal server stores the expected login response states server-side in an in-memory cache. If the Portal restarts mid login request, the expected login response state will be cleared from memory, and the login request will fail.

To resolve, wait for all Portal service restart to complete then click on the Portal Login button to initiate a new login request.

The Portal connect.sid cookie saved on the client machine is invalid

The connect.sid cookie associates the client browser to the server-side user session cache where the state expected by the login response is stored. If this state becomes invalid for any reason, the login response validation will fail.

This can be resolved by removing the connect.sid cookie from the client machine. To remove this cookie from your browser:

Chrome: Visit chrome://settings/siteData and search for your Portal server's hostname. Click on the matching search result, then click Remove All to clear all Portal cookies.

Chrome Cookies

Firefox: Visit about:preferences#privacy and click Manage Data under Cookies and Site Data. Search for your Portal server's hostname, then click Remove All Shown to clear all Portal cookies.

Firefox Cookies

Edge: Visit edge://settings/siteData and search for your Portal server's hostname. Click on the matching search result, then click Remove All to clear all Portal cookies.

Edge Cookies

In _authCodeFlowHandler: failed to redeem authorization code

Occurs when the login request fails to authenticate due to an application registration or Turbo Server configuration error, such as:

  • The configured return URL does not match the Portal return URL endpoint.
  • The configured secret does not match the application registration's secret.

See Configure Azure AD for more information.

Turbo Server

Login failed: Missing UPN claim

The Turbo user could not be created due to a missing user principal name (UPN) claim.

Turbo Server expects the following claim to be returned in email format by the identity service: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

If you are using AzureAD with SAML 2.0, see Configure Azure AD for more information on setting up the claims.

If you are using ADFS with SAML 2.0, see Configure ADFS for more information on setting up the claims.

User creation failed (401)

The Turbo user could not be created due to an authentication failure.

Occurs when the Portal service has a missing or invalid API key. The Portal may have started with invalid settings due to a configuration change or database access error.

To resolve, please restart the Turbo service on the Portal server and try again in a few minutes.

User creation failed (503)

The Turbo user could not be created due to API service availablility.

Occurs whens the API service is restarting. Please wait a few minutes and try again.

Login failed (401)

The Turbo user could not be logged in due to an authentication failure.

If you are using SAML authentication, please make sure that your values for the Signing Certificate Thumbprint and Signing Certificate Common Name are correct and that your signing certificate is installed on the Hub server. See Configure Turbo Server for more information on setting up the signing certificate.

Login failed (503)

The Turbo user could not be logged in due to API service availability.

Occurs when the API service is restarting. Please wait a few minutes and try again.

Questions? Talk to us.