Skip to content

SSO Troubleshooting

Common issues and solutions when configuring SAML SSO with Ogadu.

SSO Button Doesn't Appear on the Login Page

Symptoms: You enter your email on the Ogadu login page but no SSO button appears.

Solutions:

  1. Check the email domain — The domain you're typing must exactly match one of the domains configured in Ogadu's SSO settings. For example, if SSO is configured for acme.com, typing user@acme.co.uk won't trigger the SSO button.

  2. Verify SSO is enabled — Go to your organization settings in Ogadu and check that SSO is both saved and the Enable SSO toggle is on.

  3. Test the API directly — Open your browser and go to: 

    https://app.ogadu.com/api/sso/check-domain?email=you@yourdomain.com
    You should see "sso_enabled": true. If you see false, the domain isn't configured or SSO isn't enabled.

"SAML Response Validation Failed"

Symptoms: After authenticating at Okta, you're redirected back to Ogadu with an error message about SAML validation.

Solutions:

Certificate mismatch

The most common cause. Ensure the X.509 certificate in Ogadu exactly matches the one from Okta.

  1. In Okta, go to your Ogadu app → Sign On tab.
  2. Download the certificate again.
  3. In Ogadu's SSO settings, click Edit and re-paste the full certificate, including the BEGIN and END lines.
  4. Save and try again.

Clock skew

SAML assertions have a validity window of approximately 5 minutes. If your server's clock is significantly off, validation will fail.

  • Ensure your server uses NTP (Network Time Protocol) for time synchronization.
  • Check: date -u on your server should be within a few seconds of the actual UTC time.

Audience mismatch

The SP Entity ID (Audience URI) in Okta must exactly match what Ogadu expects.

  • In Okta, verify the Audience URI is: 
    https://app.ogadu.com/sso/saml/metadata/YOUR_ORG_ID
  • Check for typos, trailing slashes, or http vs https differences.

"Could Not Extract Email from SAML Response"

Symptoms: SAML validation succeeds but Ogadu can't find the user's email in the response.

Solutions:

  1. Check Name ID format — In Okta, ensure the Name ID format is set to EmailAddress.

  2. Check attribute statements — Verify that your Okta app includes the email attribute statement mapped to user.email.

  3. Check Application username — In Okta's app settings, ensure the Application username is set to Email.

"SSO Session Expired"

Symptoms: After clicking the SSO button, you see "SSO session expired" before reaching Okta.

Solutions:

  • The SSO state cookie is valid for 5 minutes. If you waited too long before being redirected to Okta, the cookie expired.
  • Simply try again — click the SSO button once more.
  • If this happens consistently, check that your browser isn't blocking cookies.

"Your Email Domain Is Not Authorized"

Symptoms: You successfully authenticate at Okta but get an error about your email domain not being authorized.

Solutions:

  • The email address in your Okta profile doesn't match the email domains configured in Ogadu's SSO settings.
  • In Ogadu SSO settings, add the missing domain to the Email Domains field.
  • In Okta, verify the user's email attribute is set correctly.

User Authenticated but Not in the Organization

Symptoms: SSO sign-in works but the user doesn't see organizational projects or resources.

Solutions:

  1. Check Okta assignments — The user must be assigned to the Ogadu app in Okta's Assignments tab.

  2. Re-sign in — Organization membership is synced at login time. Ask the user to sign out and sign back in.

  3. Check Cognito group — The user should be automatically added to the organization's Cognito group during SSO login. If this failed, check the server logs for errors.

IdP-Initiated SSO Not Working

Symptoms: Clicking the Ogadu tile in Okta's dashboard doesn't sign you in.

Solutions:

  1. Check the Audience URI — For IdP-initiated SSO, Ogadu determines your organization from the SAML Audience restriction. The Audience URI in Okta must exactly match: 

    https://app.ogadu.com/sso/saml/metadata/YOUR_ORG_ID

  2. Check Okta assignments — Ensure the user is assigned to the app.

  3. Check the ACS URL — Must be exactly: 

    https://app.ogadu.com/sso/saml/acs

SSO Works but User's Name Is Wrong

Symptoms: The user signs in via SSO but their display name in Ogadu is wrong or shows their email prefix instead of their real name.

Solutions:

  • Add or verify the attribute statements in Okta:

    Name Value
    firstName user.firstName
    lastName user.lastName
    displayName user.displayName

  • After updating attributes in Okta, the user needs to sign out and sign back in for the changes to take effect.

Certificate Expiration

Okta SAML certificates typically expire after 1-2 years. When the certificate expires, SSO will stop working.

How to check:

  1. In Ogadu SSO settings, click Test Connection.
  2. The test results show the certificate expiration date.

How to rotate:

  1. In Okta, go to your Ogadu app → Sign On tab.
  2. Generate a new certificate or download the current active one.
  3. In Ogadu SSO settings, click Edit.
  4. Paste the new certificate.
  5. Save and test.

Set a calendar reminder

Note your certificate's expiration date and set a reminder to rotate it at least 2 weeks before it expires.

"SSO Is Not Configured for This Organization"

Symptoms: Visiting the SSO login URL shows this error.

Solutions:

  • Verify the Organization ID in the URL is correct: 
    https://app.ogadu.com/sso/login/YOUR_ORG_ID
  • Go to the organization settings page and check that SSO is configured and enabled.

Still Need Help?

If none of the above solutions resolve your issue:

  1. Check your server logs for detailed error messages (search for SAML or SSO in the logs).
  2. In Okta, check the System Log (Reports → System Log) for SAML errors.
  3. Contact support@ogadu.com with:
    • Your Organization ID
    • The error message you're seeing
    • The approximate time the error occurred
    • Screenshots if possible