If the SSO login fails, refer to the guide below for the most common issues that may arise. Additionally, you can also find specific error messages and directly search for them.
Furthermore, you can find configuration examples to compare with your setup below:
1) 403 Access Denied / Well, this is awkward Error
If you see a 403 – Access Denied error after logging in, it means your SSO login worked, but you don’t have permission to view the page you landed on. To access it, you’ll need to be added by an account owner or admin.
In case the error page looks different from the default, please note that each account can have its own custom error page. You can confirm whether it’s a permission issue by visiting DOMAIN/dashboard (for example, hub.brand.com/dashboard). If you can access the dashboard overview without error, your login is working correctly and the restriction only applies to the specific page you tried to open.
Click here for more information
Click here for more information
Once the SSO setup is complete, all the users from your user directory are able log in to your Frontify platform. Their user account is automatically created upon login but they do not get any permissions by default. So if they land on a Guideline after the first log in, they can potentially get the 403 - Access Denied message.
This means they still need access to the landing Guideline.
To fix this, you need to invite the user, the group where the user is invited to or a Smart Group to this Guideline.
👉 Learn more on how to create Smart Groups here
2) Incorrect URLs
Ensure that all the URLs from our metadata are added exactly as described below. Double check that you’ve exchanged the DOMAIN part with your domain.
Missing slashes at the end or incorrect URLs can cause issues:
Identifier (SP Entity ID): https://DOMAIN/api/auth/saml/metadata/
Single Sign-On URL / ACS: https://DOMAIN/api/auth/saml/acs/
Single Logout URL / SLS: https://DOMAIN/api/auth/saml/sls/
Default Relay State / Sign on URL: https://DOMAIN/
3) Incorrect Attribute Mapping
The attribute mapping needs to be exactly as below:
User.email
User.FirstName
User.LastName
User.Groups (if needed)
Please note lower- and uppercase
4) Certificate Issues
Ensure that the correct certificate is used and that it remains valid. If you update the certificate on your side, we will also need to manually update it on ours. Additionally, any configuration changes on your end may cause the certificate to be regenerated. If that happens, please verify the update and ensure that we receive the new certificate to make sure the correct one is in use on our side.
5) Assign User to Application/ Allow Access
Make sure that the user is assigned to a role for the application and has permission to access the platform over SSO.
Specific error Messages
Below you can find several specific error messages that could appear. Please check if your error message appears below and adjust your setting according to the instructions.
The signed in user is not assigned to a role for the application/ User is not assigned to this application/ Sorry, but we're having trouble signing you in
The signed in user is not assigned to a role for the application/ User is not assigned to this application/ Sorry, but we're having trouble signing you in
The error means that the user hasn't been granted access to the application in your SSO configuration/identity provider. The user must belong to a group that is assigned to the application, or be assigned directly.
Check if the user who is trying to log in has been added to your Identity Provider and that access is granted for that user to log in over SSO to the Frontify account.
Microsoft Entra (Azure): In the article here you can find an explanation why the error appears (user is not assigned to an application). Additionally, you can find instructions on how to assign users to an application to resolve this issue here.
Below you can find examples or parts of examples on how the error message could look:
Invalid E-Mail Address/Invalid Email Address
Invalid E-Mail Address/Invalid Email Address
Error message “Invalid Email Address” appears as shown below:
Check your attribute mapping and ensure that it’s set up as requested below:
General Attribute Mapping (please note lower/uppercase):
User.email
User.FirstName
User.LastName
User.Groups (if needed)
For Microsoft Entra (Azure), you can add the following Attribute Mapping:
user.givenname
user.surname
user.mail
If you’re using Azure/ Microsoft Entra and "Invalid E-Mail Address: User.email" appears, check if any quotes are added for the attribute mapping as shown under value below:
If this is the case, you need to remove those quotes. If you’re not able to set up the attribute mapping as requested without the quotes, use the specific attribute mapping for Entra as shown above.
Could not process Response/Could not process ACS/Could not process SAMLResponse: Signature validation failed. SAML response rejected, invalid_response
Could not process Response/Could not process ACS/Could not process SAMLResponse: Signature validation failed. SAML response rejected, invalid_response
If you encounter the issue “Could not process ACS or Could not process SAMLResponse: Signature validation failed. SAML response rejected, invalid_response as shown below:
Please verify your x509 certificate to ensure that the correct and valid one is being sent.
This error usually occurs when there is a mismatch between the certificate configured on our side and the one used on yours.
Check the following steps below:
Certificate validity
Ensure that the SAML certificate has not expired and matches the one in our configuration. You can verify if it's valid using a SAML decoder tool.After setup adjustments and Certificate Updates
If you’ve recently updated anything in your SSO setup, the certificate may have been regenerated. Ensure we have the updated certificate on our side as well.
If you’ve updated the certificate on your side, we’ll also need to manually update it on ours, otherwise the login will not work. Please contact us at support@frontify.com and provide the new certificate and the mentioned information here, so we can update it on our side as well.
Next time, please send us the new certificate before making any updates on your side.
For new created SSO Setups, consider additionally the following:
Check if your metadata includes multiple certificates, try removing any unnecessary ones so that only the correct certificate for this SSO configuration remains.Keycloak users – If you are using Keycloak as your identity provider, double-check your attribute mapping. If issues persist, try reconfiguring from scratch and test the login again.
SAML Response not found, Only supported HTTP_POST Binding
SAML Response not found, Only supported HTTP_POST Binding
If you encounter this error, please check your configuration to ensure that all metadata URLs include a trailing slash (/) at the end are as shown below (need new images)
Blank/empty page after login
Blank/empty page after login
If you see a blank page after logging in, verify that the Default Relay State is correctly defined in your configuration: https://DOMAIN/
Azure/Entra: Ensure that the Sign-on URL is also set. Although marked as optional in Entra, it must be configured with the same value as the Default Relay State.
Invalid_response / The status code of the Response was not Success, was Responder -> Authentication Failed (invalid_response)
Invalid_response / The status code of the Response was not Success, was Responder -> Authentication Failed (invalid_response)
If you receive an error such as:
"Invalid response" or "The status code of the Response was not Success, was Responder -> Authentication Failed (invalid_response)"
Please verify that the x509 certificate used in your metadata is correct and has not expired as mentioned here under "Could not process Response"
The status code of the Response was not Success, was Requester -> Cannot provide requested name identifier with format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified for the given subject
The status code of the Response was not Success, was Requester -> Cannot provide requested name identifier with format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified for the given subject
If you encounter the following error after attempting to log in
Please change the SAML_SUBJECT on your side to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Afterwards, you can test the login again.
The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:RequestDenied
The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:RequestDenied
After login the error message appears: The status code of the Response was not Success, was Requester -> urn:oasis:names:tc:SAML:2.0:status:RequestDenied
Ensure that the user is a member of the required Active Directory (AD) group as explained here under "The signed in user is not assigned to a role for the application"
Google SSO Troubleshooting
You can find general SAML errors for Google configurations here
General Tips
For troubleshooting/debugging, you might consider using a plugin, like SAML-tracer to debug on your side. This might translate our server-side message to indicate an issue in your setup
Issue persists?
If the issue persists, please contact support@frontify.com. Include the following details in your request:
If it's a newly configured SSO setup or if an existing stopped working
The domain where the SSO issue appears (e.g. guideline.brand.com)
Screenshot of the exact error message or issue encountered
Any troubleshooting steps you’ve already taken