SSO FAQs

OVERVIEW

This article provides the top questions received regarding the Single-Sign-On (SSO) capability.


Does enabling SSO impact existing user accounts?

In short, no. For existing users, the only thing that is changing is where they login. The underlying account at Lotame is not changed. 

There is an edge case where the email that the user logins into Lotame is different than the one they use in your Identity provider. In that case, this would be seen as a new user to Lotame when they sign in through SSO. To handle these cases, please have a Lotame Admin go to Manage Users and use the Copy feature of the user and add their other email.

Please remember to disable the old account once the user begins using the new SSO account.

Common errors when setting up SSO

Error Log Message What to Review
SAML Signature Failure (The public key that's exposed in this signature doesn't match with the passed in one.) Check that your signing certificate is correct in the "Service Provider" page of "Client Admin Settings"
SAML Signature Failure (Failed to decrypt EncryptedData) Check that your encryption certificate is correct in the "Service Provider" page of "Client Admin Settings"
User user@example.com from issuer https://example.com/saml/idp is locked or disabled. User will need to be re-enabled in the "Users List" page of "Client Admin Settings"
Maximum number of users reached for ClientName(4830) Please contact your Lotame representative to adjust your limits, or disable any unneeded users.
New user creation is not enabled for https://example.com/saml/idp. Turn On "Auto-Create New Users" in the "Account Settings" page of "Client Admin".
No default user roles are defined for https://example.com/saml/idp. Define user roles in the "Assigned Clients" section of the "Account Settings" page of "Client Admin".
Invalid user user@example.org logged in using https://example.com/saml/idp! Please check your client's username domains or contact your Lotame rep for help Check that the email domain of the user is present and not "pending" in the "Domain Management" section of the "Account Settings" page of "Client Admin".

What happens if my SSO is offline

If your SSO platform is having issues, there is a work around to still allow access to the Lotame platform for your users. On the SSO Account Settings screen disabled Require for Non-Admins. Then your users can login with their email at https://platform.lotame.com

Users who were created after SSO was enabled have slightly more work to get them able to use the Platform. Please reach out to your Lotame Client success manager for assistance.

Note: It is likely the user's password has expired or they do not remember. In that case going through the Forgot Password? flow will get them access.

Which SSO partners can we support?

We can support any SAML2-compliant login system.
Some examples: Okta, OneLogin