I am a Zivver admin
Configure and manage Zivver
Single Sign-On - Troubleshooting login problems with ADFS
Introduction
Zivver offers the option to set up Single Sign-On (SSO) with ADFS. Then, users can conveniently log in with their AD credentials. Are you experiencing a problem with the SSO configuration between ADFS and Zivver? This article helps you to troubleshoot such issues.
Prerequisites
For this guide, you need these: - A Zivver account with administrator rights. - Your account is a member of the Zivver organization for which your are troubleshooting SSO. - Administrator access to the ADFS server.
Quick fix
A quick way to fix many SSO-related problems, is to remove the configuration altogether from both ADFS and Zivver. Then, configure from scratch. This takes approximately 15 minutes.
Resetting the SSO configuration
- Make sure Use Single Sign-On is selected under Single sign-on with SAML on the Zivver SSO Settings page.
- Remove all the information from Zivver.\
Click the Clear button at the bottom of the Zivver SSO Settings page. - Remove the Relying Party Trust from ADFS.\
Select it. Then, select the option Delete. - Do the SSO configuration again.\
Open the installation manual. - Test if the problem is resolved by logging in to Zivver. +
Examine the logs
Alternatively, or if the quick fix did not work, examine the ADFS log in the Event Viewer for errors. This log contains more information than a web browser.
- Open Event Viewer (Run
eventvwr.msc
) on the ADFS server. - Go to Applications and Services Logs.
- Go ADFS > Admin.
- Search the log for errors that occurred on the corresponding time and date.
Does the error in the Event Viewer show information about the cause of the problem? For example, it might tell you that the user entered the wrong password.
Check the error in Chrome
Alternatively, you can try to log in with SSO in the Chrome browser. + Chrome is preferred in this case, because Chrome shows more error information than Internet Explorer for example.
If you or your users experience errors while you try to log in, the specific error information can help you to find the cause and troubleshoot the issue.
To retrieve the error, do these steps:
- In Chrome, go to app.zivver.com. Then, enter your, or the affected user’s, email address. \
A pop-up opens. - Select Workplace to log in with SSO if you log in with an administrator account.\
The ADFS login page should appear. - Log in to ADFS with your workplace credentials.\
Examine the error message.
If the error does not show enough information to the cause of the problem, search online or search in this troubleshooting guide.
Does the problem stay? Read the rest of the guide.
Read more about these errors and solutions.
Troubleshooting
How to troubleshoot issues with SSO.
Troubleshooting steps
For example: “A white screen appears while trying to log in to the mobile app using SSO”, or “Zivver asks for my password after logging in to ADFS”.
Do these steps to pinpoint your problem:
- Check the error in Chrome to attempt to log in with SSO.\
This helps to determine where the problem occurs exactly, or might show a specific error message. - Choose the description that is closest to the problem:
- SSO doesn’t seem active; it’s not redirecting from Zivver to ADFS. Nothing happens after entering the email address in the web app
- SSO redirects from Zivver to ADFS (or tries to), but still can’t log in. Zivver tries to log you in after you enter the email address, but the problem occurs after that. Continue with step 3 below.
- Choose the option that matches your problem the best:
- The ADFS login page does not appear. + Nothing seems to happen when Zivver tries to redirect you. See this section of the guide for relevant fixes.
- The ADFS login page appears, but login doesn’t work. For example, your credentials are not accepted while logging in to ADFS. See this section of the guide for relevant fixes.
- Log in to ADFS works, but the problem occurs after that. + You have logged in to ADFS, but you are not sent back to Zivver, because of an error or a white screen for example. Continue with step 4.
- Choose the description that is most similar to your problem: +
- Zivver doesn’t appear. + You logged in to ADFS successfully, but you’re not redirected to Zivver properly. See this section of the guide for relevant fixes.
- Zivver appears, but I’m not logged in yet. + After logging in to ADFS, Zivver appears as expected, but you are not logged in yet with your Zivver account. See this section of the guide for relevant fixes.
Nothing happens after entering my email address
You landed here because nothing happens after you entered your email address on app.zivver.com. Answer this question to further pinpoint the problem: Does the problem exist for all users, only for one, or more specific users?
- The problem happens only for some specific user(s). Go here.
- The problem exists for all users. Go here.
SSO is not active for specific users
This section lists possible causes for the problem where SSO does not seem to be active for specific user(s), meaning users are not directed to ADFS after entering their email address on app.zivver.com.
The user is not a member of the Zivver organization If the email address that you entered is not a member of the Zivver organization, SSO does not function for this specific account.
Fix: Check the accounts page if the email address is a member of the organization. If that is not the case, create an account for them or invite them if they already have an account.
** The email address does not match a claimed domain** Zivver can log you in via SSO only when the domain in the email address is recognized as one of the organization’s claimed domains. Perhaps a typo was made in the email address, or the user has an email address with a different domain than most other users.
Fix: Enter the email address again and avoid typos, or claim the additional domain in the Domains pane of the organization settings on app.zivver.com.
SSO is not active for any users
This section lists possible causes for the problem where SSO seems to be inactive for all users of your organization.
The domain is not claimed in Zivver
The domain of the users that are logging in via SSO is not claimed within the organization in Zivver.
Fix: Open this link: How to claim your email domain in Zivver to claim the domain for the organization.
SSO is not enabled
After configuring the SSO connection in both Zivver and ADFS, it needs to be enabled within Zivver for it to work.
Fix: Enable SSO by checking the box next to Use Single Sign-On in the Zivver SSO settings page.
The metadata is incorrect
The ADFS metadata contains necessary information to make SSO work. Read these three subsections for solutions.
The ADFS metadata URL is incorrect
If the ADFS metadata URL is incorrect, Zivver cannot retrieve the data necessary for SSO. This can happen when the FQDN of the ADFS server changes.
Fix: Open link:these steps from the ADFS manual to update the metadata URL.
The ADFS server is blocked to external traffic
If the ADFS server is inaccessible from outside of the company network, Zivver cannot access the metadata via the specified URL.
Fix: Allow the ADFS server to be reached from anywhere on the internet, or paste the static metadata XML into the Zivver SSO settings by following these steps in the AFDS manual.
The ADFS metadata XML is out of date
Only applies if you use the static metadata XML, instead of the metadata URL. In this case, the option Manually paste your organization’s Identity Provider (IdP) SAML metadata XML file contents. under Single sign-on with SAML is checked in the Single Sign-On pane of the organization settings on app.zivver.com.
The ADFS metadata might have become invalid. The metadata changes when there are changes made to the Zivver relying party trust’s settings in ADFS, or the settings of ADFS in general, such as the authentication method for example. It also changes when the certificate is renewed. This might have happened automatically on the ADFS server.
Fix: Paste the static metadata XML into the Zivver SSO settings by following these steps in the AFDS manual.
The ADFS login page does not appear
Are you not forwarded properly to ADFS from Zivver? + In this case, Zivver did not properly send you to the ADFS login page after you entered your email address in the web app.
Read these causes and fixes.
The Relying Party Trust is disabled in ADFS
In other words, the SSO connection is configured, but not enabled within ADFS management.
Fix: Open ADFS Management app and set the status of the Zivver relying party trust to Enabled.
ADFS metadata issues
The ADFS metadata contains information that is necessary for SSO to work. See this section for the causes and solutions.
The ADFS server can not be reached
Fix: Allow users to connect to the ADFS server from external network locations.
No valid certificate on the AFDS server
If the ADFS server does not have an active/valid SSL certificate, an error shows in the browser instead when users are directed to the ADFS log in page.
The exact error might be different. But, for example, it says this: “There is a problem with the website’s security certificate.”, or “Access is denied.”, or simply “An error occurred”.
Fix: Make sure there is a valid certificate on the ADFS server, for example by renewing an existing one. See this article for more information.
Page can’t be found
Internet Explorer 11 (IE11) shows the error “The page can’t be found.” when you try to connect to ADFS. This might happen because of the security settings of IE11.
Fix: Add https://[wildcard].zivver.com
as a trusted website in Internet Options.
White screen in mobile app
SSO works as expected when logging in from app.zivver.com, but not from the Zivver mobile app. When you enter your email address in the mobile app, a white screen or an error appears and you are not forwarded to the ADFS login page. This happens because Windows Integrated Authentication is enabled, but the Windows pop-up can’t be displayed properly on mobile devices.
Cause: The problem is caused by the fact that Global Primary Authentication method for ADFS is set to Windows Authentication and not Forms-based Authentication. Forms Authentication cannot be used as a secondary authentication method, when Windows Authentication is set as the primary authentication method. This is due to a known issue with ADFS. You can verify this by logging in to app.zivver.com, as described in subchapter Check the error in Chrome, and checking if you get a web-based form to log in to, or a Windows pop-up.
Fix: The work-around for this is to enable Windows Authentication for Intranet access to Zivver, and Forms Authentication for Extranet access. Then, users can log in to the mobile app with SSO from outside of the company network.
The information below applies only if an IIS server is used in combination with ADFS. If you use an IIS server, read the information below.
Redirect users to a login form (forms-based authentication), instead of a Windows pop-up. For this, you need to change the web.config
file, which can be found under c:\inetpub\adfs\ls
on the ADFS server.
Find the localAuthenticationTypes
element, and make sure that Forms
is the first entry.
<localAuthenticationTypes> <add name="Forms" page="FormsSignIn.aspx" /> <add name="Integrated" page="auth/integrated/" /> <add name="TlsClient" page="auth/sslclient/" /> <add name="Basic" page="auth/basic/" /> </localAuthenticationTypes<
I can not log in to ADFS
This section describes the several causes and solutions for the problem where you can not log in to ADFS. + Describe the scope of the problem you are experiencing:
- The problem happens only for some specific user(s). Click here, or read on for possible causes and fixes.
- The problem exists for all users. Go here for possible causes and fixes.
Specific users can not log in to ADFS
If some of your users can not log in to ADFS, read these causes and solutions:
Check the logs
If only specific user(s) can not log in to ADFS, the cause may simply be that they entered the wrong password for example.
Fix: Check the logs for errors such as failed login attempts due to invalid credentials.
The account is disabled in AD
Accounts that are locked out or disabled in Active Directory can’t log in via ADFS.
Fix: Enable the user account in AD to log in via ADFS.
Duplicate UPN present in AD
If multiple objects (users) exist in AD with the same User Principal Name (UPN), both of them cannot log in to ADFS.
Fix: Search the AD for the UPN of the user that is experiencing the problem to see if duplicates exist, and remove or change them.
No users can log in to ADFS
If none of your users can log in to ADFS, read these cause and related fixes:
Users are not able to log into ADFS using their email address
In most cases, the UPN is used to log in, but this may not always be the same as the email address - for example @zivver.com vs @zivver.local.
Fix: Change the logon name manually on the ADFS login page to log in.
User friendly fix: To make the login process easier for users, apply one of the options below:
- Modify the ADFS
onload.js
, so that the username field is empty by default. To do this, add this line:\
document.forms['loginForm'].UserName.value = ' '
- Modify the ADFS
onload.js
, so that the username is automatically entered in the appropriate field. Do this by adding the following line:document.forms['loginForm'].UserName.value = 'yourdomain.local\yourusername'
- Allow users to log in with their email address, instead of the SamAccountName. Implement this by executing the following PowerShell command:
Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests [forest domain]
Zivver does not appear after logging in to ADFS
You can log into ADFS with your workplace credentials, but you are not redirected to Zivver properly. For example, an error appears.
Many fixes in this section of the guide are for specific errors that may appear when trying to log in via SSO in the browser. See subchapter Check the error in Chrome for instructions on how to determine the error.
Below are the causes for this problem, as well as the related fixes.
ADFS metadata problem
The ADFS metadata contains information that is necessary for SSO to work. See this section for the causes and solutions.
Error messages
Do you get an error after you log in to ADFS? Review these errors and fixes. If the error is not listed, or if the solution does not solve, speak to Zivver support.
I am not logged in with my Zivver account
You are logged in to ADFS successfully. However, when ADFS sends you back to Zivver, you are not logged in with your Zivver account. See this section for possible causes and solutions for this problem.
Before you do the steps below, check if there are any errors displayed while logging in via SSO while using Chrome. See the subchapter Check the error in Chrome.
After logging in, I get a notification to enter my password.
After redirection to Zivver, enter your Zivver password. The notification also says that this is a one-time occurrence, and that this is necessary to enable SSO for the account.
This problem has several causes and corresponding solutions:
User account was created before configuring SSO
The user already had an account that was created (or invited to the organization) before SSO was configured and enabled.
Fix: Enter the Zivver password when the notification appears. You only need to do this once. After entering the password, the account is matched to the account in the IdP. From now on, it is possible to log in via SSO.
ZivverAccountKey attribute mismatch between SSO and the Synctool
The ZivverAccountKey attribute is different between the Synctool and the SSO configuration. For example: Synctool uses ObjectGUID, while ADFS uses ObjectSID.
Fix: Re-configure ADFS or the Synctool so that the attribute for the ZivverAccountKey is the same. For example, they both use ObjectGUID. Then run the Synctool again to synchronize the correct ZivverAccountKey. Make sure that Update the password/account key for all x users in local data is enabled in Step 4 of the Synctool. It’s important that you manually run the Synctool with this option only once, and then turn it off again for future (automatic) syncs.
Synctool was run with SSO disabled The Synctool was executed while SSO was disabled.
Fix: If the users knows their Zivver password, enter this to fix the problem. However, users might not know their Zivver password, because they usually log in via SSO.
In that case, run the Synctool again and make sure that Update the password/account key for all x users in local data is enabled in Step 4 of the Synctool. It’s important that you manually run the Synctool with this option only once, and then turn it off again for future (automatic) syncs.
A notification appears to change the password
SSO is enabled for the organization, and users are created with the Synctool. However, you are still requested to change your Zivver password when logging in. Several different possible causes for this issue are detailed in the following subchapters.
Synctool was run without SSO
The Synctool was run before activating SSO in Zivver. Some examples why this might happened: SSO is not fully configured yet. SSO was set up, but not enabled yet in SSO Settings page. SSO was set up and enabled, but the Save button was not clicked.
Alternatively: The Synctool was run with the option Users log in without SSO. In this case, the Synctool assigns a temporary password for the accounts that users have to change on first login.
Fix: The fix for both causes is the same: Remove all of the accounts using the Synctool, and then re-create them. Make sure that the option Users log in with SSO is enabled in step 2 of the Synctool when you run it again to create the accounts.
SSO works, but it does not log me in automatically in the Office plug-in
If SSO is working, but users are not logged in automatically in the plug-in, then the required registry keys may not have been set up properly. These registry keys need to be deployed for each user, to enable the setting that logs them in automatically via SSO.
Fix: Read how to enable automatic login to the Office plugin with SSO for further instructions.
Still experiencing issues?
Are you still experiencing issues after following the guide, or is your problem not listed here? Then try the following:
Remove the existing SSO configuration and then set it up again from scratch.
See the Quick fix section at the start of this guide for instructions on how to reconfigure SSO for Zivver.
Still need help?
Could not find the information that solves your problem? Contact support with this information:
- ADFS configuration
- How is the AD FS setup?
- Are you using multiple servers for example?
- User scope
- How many users are experiencing the problem?
- What are the email addresses of the affected users?
- Product scope
- What products are affected?
- Does the problem occur in multiple products? + For example some specific products like the Office plugin, WebApp, OWA, or all products?
- Network location
- From what location on the network does the problem occur? + For example, from inside or outside the company network, or both?
- Steps to reproduce
- Where in the login process does the problem happen exactly?
- What are the steps to reproduce the problem?
- Security measures
- Are there any security measures present in the company network that may cause the problem? + For example a firewall or proxy?
- Recent changes
- Have there been any recent changes to the network- or working environment that may have caused an issue?
- Logging information
- Search the ADFS log in event viewer for the corresponding error and send this along with your email.
Attach this information to a support request. Contact support