Troubleshooting Single Sign-On

Problem	Solution
Single Sign-On button not visible on KACE Cloud portal.	Confirm that Enable single sign-on is checked on the SSO Settings page.
Error message on Microsoft login page: "AADSTS70001: Application with identifier ### was not found in the directory ###"	Azure AD App ID URI does not match KACE Cloud identifier. Revisit Step 1 and confirm that the App ID URI is copied correctly, and ensure that the end of the URL has been removed: /broker/heliumsso/endpoint.
Update password request on Microsoft login page.	If you have created a brand new Azure AD account, Azure will prompt you to reset your password the first time it is used.
Error message on Microsoft login page: "AADSTS50011: The reply address ### does not match the reply addresses configured for the application: ###"	Update the Azure AD app registration Reply URLs to include the reply address indicated in the error message. This property can be found in Azure AD under App registrations > KACE Cloud > Settings > Reply URLs.
Error message on KACE Cloud portal.	Azure AD successfully validated the username and password, but KACE Cloud did not accept the user. This may be because the user is not in the Azure AD group being assigned a device admin role. To troubleshoot: Confirm the Azure AD group to which the user is assigned. Confirm that the Azure App registration manifest was configured to include "SecurityGroups" (Step 3 above.) Confirm that the Azure AD group has had its role mapped correctly. (Step 5 above.)
Single Sign-On misconfiguration or identity provider error	As part of SSO, most companies will redirect their users to their identity provider's sign-in page. In the case of a misconfiguration or identity provider error, a device admin can bypass SSO by adding ?nosso to the end of their product portal URL to turn off redirection and go directly to the KACE Cloud login screen. Example: https://yourcompany.kacecloud.com?nosso

Problem

Solution

Single Sign-On button not visible on KACE Cloud portal.

Confirm that Enable single sign-on is checked on the SSO Settings page.

Error message on Microsoft login page: "AADSTS70001: Application with identifier ### was not found in the directory ###"

Azure AD App ID URI does not match KACE Cloud identifier. Revisit Step 1 and confirm that the App ID URI is copied correctly, and ensure that the end of the URL has been removed: /broker/heliumsso/endpoint.

Update password request on Microsoft login page.

If you have created a brand new Azure AD account, Azure will prompt you to reset your password the first time it is used.

Error message on Microsoft login page: "AADSTS50011: The reply address ### does not match the reply addresses configured for the application: ###"

Update the Azure AD app registration Reply URLs to include the reply address indicated in the error message. This property can be found in Azure AD under App registrations > KACE Cloud > Settings > Reply URLs.

Error message on KACE Cloud portal.

Azure AD successfully validated the username and password, but KACE Cloud did not accept the user. This may be because the user is not in the Azure AD group being assigned a device admin role. To troubleshoot:

Confirm the Azure AD group to which the user is assigned.
Confirm that the Azure App registration manifest was configured to include "SecurityGroups" (Step 3 above.)
Confirm that the Azure AD group has had its role mapped correctly. (Step 5 above.)

Single Sign-On misconfiguration or identity provider error

As part of SSO, most companies will redirect their users to their identity provider's sign-in page. In the case of a misconfiguration or identity provider error, a device admin can bypass SSO by adding ?nosso to the end of their product portal URL to turn off redirection and go directly to the KACE Cloud login screen. Example: https://yourcompany.kacecloud.com?nosso