IMPORTANT - Logging in when SSO isn't working
If you need to troubleshoot your SAML settings, but cannot access your portal any longer, you can login with your Tribal Habits user details at the following URL (using your Tribal Habits username/email and password):
That URL can be important when your SSO settings are incorrect and you are otherwise unable to log in to your portal to fix things!
Error: SAML authentication error
Single-Sign-On (SSO) requires that your SSO certificate in your Identify Provider matches the SSO certificate in your Tribal Habits portal.
Sometimes, SSO certificates can be set to expire after a period (typically one year).
Usually, your Identity Provider will allow both the old and new certificates to function for a short period to allow you to update your certificate in Tribal Habits.
However, sometimes the expiry immediately cancels your old certificate (or the dual certificate process simply doesn't work). At that point, your Tribal Habits SSO certificate will no longer match and your SSO logins will fail. You will typically receive an error "Invalid Signature on SAML Response" when trying to log in.
In such case, you can hopefully log in to your portal without using SSO (see 'Logging in when SSO isn't working' above) to fix the issue.
Go to yourorganisation.tribalhabits.com/accounts/sign_in_without_sso
Log in with your Tribal Habits username or email, and your Tribal Habits password. Use the password reset function if you have forgotten it. This will allow you to log in to your portal using your Tribal Habits credentials (rather than your SSO credentials).
Switch to your Admin area and the Account menu.
Select the 'SSO' tab.
On this page you will see your Identity Provider x.509 Certificate. It begins with '-----BEGIN CERTIFICATE-----'. That's what you need to replace.
Obtain your new certificate and Edit your SAML details. Paste the new certificate into the certificate field, including the BEGIN and END certificate text.
Save your changes and your SSO should start working again.
If problems continue afterwards, please contact Support for additional help.
Error: User does not have permission to access Tribal Habits
This error message will appear from your SSO system - not from Tribal Habits (the branding and styling of the error page will be that of your SSO system) - when the user has not been granted access to Tribal Habits via your SSO system.
In my SSO systems, there are access control rules - each user in the SSO system must have permission to access the various platforms which use the SSO system for authentication. This error will typically say that the user lacks permission to access Tribal Habits.
In this case, you will need to contact your IT team and ask them to grant access in the SSO system for that user for Tribal Habits.
Error: Duplicate user (new user who cannot log in for the first time with SSO)
In this case, your portal has activated SSO and a user is unable to log in. Typically, they will receive an error page that will give you a clue as to the problem - it will usually 'Duplicate user detected' and then 'Email already taken' or 'Username already taken'.
If this is the first time a user has logged in via SSO, then the problem will be a duplicate user which is conflicting with this user. This often occurs when this user has been set up in Tribal Habits in advance (rather than being set up by the SSO process itself). Typically, something is slightly wrong with their Tribal Habits portal compared to their SSO profile. For example...
Their user name is incorrect. This might be because your SSO profile uses an employee ID number as the User ID and their Tribal Habits profile has been set-up with their email address as their user name.
Something is spelt incorrectly. The Tribal Habits profile and the SSO profile must EXACTLY match for First Name, Last Name, User Name and Email. Capitalisation can be important. Ensure there are no spaces after any of the details in Tribal Habits (e.g. a space after someone's first name).
In a worst case, you can delete this person from Tribal Habits and ask them to then log in via SSO. That will allow the SSO process to correctly populate their details in Tribal Habits. You can then edit their profile in Tribal Habits to add additional data and their enrolments. After that, they should be good to go!
Error: Duplicate user (existing SSO user who suddenly cannot log in)
In this case, the user has been successfully accessing Tribal Habits but are suddenly no longer able to log in. Typically, they will receive an error page that will give you a clue as to the problem - it will usually say 'Duplicate user detected', 'Email already taken' or 'Username already taken'.
This error is almost certainly due to a change in your organisation's SSO data. The two most common examples are...
User names are updated. For example, your organisation may have been using email addresses for SSO User ID, but has switched to payroll numbers. You will need to update details in Tribal Habits with the new user names. This process can only be completed manually, one user at a time. You may need to contact Support for assistance with this if you have a large number of users.
Email address is changed. For example, your organisation has moved to a new email domain. Once again, you will need to update all the emails in your Tribal Habits portal. This process can be done via the Upload People function.