Skip to main content
Version: Current

Troubleshooting: Entra ID SSO/Provisioning Setup Problems

Problem

You are encountering issues while configuring or using Microsoft Entra ID (formerly Azure AD) for Single Sign-On (SSO) or User Provisioning with Zudello.

Examples:

  • Users receive errors when trying to log in via SSO.
  • Users added to the Entra ID group are not being created or activated in Zudello.
  • User details (name, manager) are not syncing correctly.
  • Configuration validation fails in Zudello or Entra ID.

Common Causes

  1. Incorrect Configuration in Entra ID:
    • Wrong Application (client) ID or Directory (tenant) ID used.
    • Incorrect Client Secret value entered, or secret has expired.
    • Incorrect Zudello callback URL (https://auth.[cluster].zudello.io/ui/login/login/externalidp/callback) configured in App Registration Redirect URIs.
    • Required API Permissions (Microsoft Graph: email, profile, User.Read, openid) not granted or consented to.
    • Optional Claims (email, family_name, given_name, preferred_username for ID token) not added.
    • User not assigned to the Zudello application in Entra ID Enterprise Applications.
    • For Provisioning: Incorrect SCIM endpoint URL or Secret Token used in Entra ID Provisioning settings.
  2. Incorrect Configuration in Zudello:
    • Wrong Client ID, Client Secret, or Tenant ID entered in Organisation Settings > SSO & User Provisioning > Microsoft Entra.
    • Incorrect Entra ID Group Name or ID specified for provisioning.
    • Incorrect Zudello Team(s) selected for provisioning.
    • "User Provisioning" toggle not enabled when expected.
    • "Link Manager" toggle enabled, but manager attributes not syncing correctly from Entra ID or manager doesn't exist in Zudello.
  3. User Data Mismatches: Email address mismatch between Entra ID and an existing Zudello user prevents automatic linking during the first SSO login.
  4. Timing/Sync Delays: User provisioning syncs run on a schedule (e.g., every 10-40 minutes). Changes in Entra ID group membership may take time to reflect in Zudello. Manager/attribute updates often sync less frequently (e.g., nightly).
  5. Zitadel Configuration Issues (Staff Task): Problems with the underlying Identity Provider configuration in Zudello's authentication service (Zitadel).

Troubleshooting Steps

  1. Verify Entra ID App Registration:
    • Go to Entra ID > App registrations. Find the Zudello app.
    • Double-check the Application (client) ID and Directory (tenant) ID match what's configured in Zudello.
    • Go to Certificates & secrets. Generate a new Client secret if expired or unsure, and update it in Zudello.
    • Go to Authentication. Ensure the Redirect URI for Web matches the Zudello callback URL exactly (https://auth.[cluster].zudello.io/ui/login/login/externalidp/callback).
    • Go to Token configuration. Ensure the required Optional Claims (email, family_name, given_name, preferred_username) are added for the ID token type.
    • Go to API permissions. Verify the required Microsoft Graph permissions (email, profile, User.Read, openid) are present and have admin consent granted.
  2. Verify Entra ID Enterprise Application:
    • Go to Entra ID > Enterprise applications. Find the Zudello app.
    • Go to Users and groups. Ensure the users/groups who need access are assigned.
    • (Provisioning Only): Go to Provisioning.
      • Check the Provisioning Status (should be On).
      • Verify the Admin Credentials (Tenant URL - Zudello SCIM endpoint, Secret Token). Test Connection.
      • Review Mappings. Ensure attributes like userPrincipalName, givenName, surname, manager are mapped correctly.
      • Check Provisioning Logs for specific errors.
  3. Verify Zudello Configuration:
    • Go to Organisation Settings > SSO & User Provisioning. Edit the Microsoft Entra configuration.
    • Double-check the Client ID, Client Secret, and Tenant ID.
    • (Provisioning Only): Verify the Entra ID Group Name/ID and selected Zudello Teams. Ensure the User Provisioning toggle is ON if required. Check the Link Manager setting.
  4. Check User Data: For linking issues on first SSO login, ensure the user's primary email in Entra ID matches their Zudello user email exactly.
  5. Wait for Sync: Allow time for provisioning sync cycles to complete after adding/removing users from the Entra ID group.
  6. Manual Sync (Provisioning): Use the Advanced > Synchronise Users option in Zudello's Entra configuration to trigger an immediate sync for user attributes (like manager, name updates).

Need Help?

Setting up SSO and provisioning involves multiple steps. If issues persist, contact Zudello support. Provide:

  • Screenshots of your Entra ID App Registration settings (Overview, Authentication, Token configuration, API permissions).
  • Screenshots of your Entra ID Enterprise Application settings (Users and groups, Provisioning logs if applicable).
  • Screenshots of your Zudello SSO & User Provisioning configuration.
  • Specific error messages encountered by users or shown in logs.