Troubleshoot SSO errors

read
Last updated at:

You will learn

Learn how to troubleshoot errors for single sign-on (SSO) with Klaviyo. This article is meant for those familiar with SSO, such as IT professionals. 

For more information, please see this article on how to set up single sign-on. Note that SSO is in limited availability and is for Klaviyo One users.

List of errors and how to fix them

We break down all the potential errors you can experience when setting up SSO. Errors tend to happen when there’s missing or incorrect information. 

The table below shows all potential errors, where to go to fix them, and how to fix them. 

Error

How to fix it

Missing SSO configuration for {email} ({company_id})

Make sure the SSO configuration settings are saved in Klaviyo.

SSO disabled for {email} ({company_id})

Enable SSO in the SSO configuration panel in Klaviyo [LINK].

Missing SSO configuration for ({company_id})

Make sure the SSO configuration settings are saved.

SSO disabled for ({company_id})

Enable SSO in the SSO configuration panel in Klaviyo [LINK].

Cannot provision new SSO user for {email} in account ({company_id}) (Just-in-Time provisioning not enabled)

If you would like to use Just-in-Time user provisioning, turn it on in the SSO configuration panel for your IdP SSO provider. 

IdP-Initiated SSO is disabled for {email} ({company_id})

If you would like to use IdP-initiated SSO, you can enable it in the SSO configuration panel. 

Missing SSO configuration for ({company_id})

Make sure your SSO configuration is set up and saved. 

Missing SSO configuration errors

Error

How to fix it

Unsupported SAML version

Go to your IdP SSO provider and update to SAML 2.0. 

Missing ID attribute on SAML Response

Check that you have the correct ID in your IdP setting and that it’s in the correct format.

SAML Response must contain 1 assertion

Navigate to your SSO provider and make sure to include the role attribute in the SAML assertion. 

Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd

Make sure your SAML response adheres schema protocol for SAML 2.0. 

The assertion of the Response is not encrypted and the SP require it 

Klaviyo requires the assertion to be encrypted. Make sure you’re using an assertion that is encrypted. 

The Assertion must include a Conditions element

Ensure that the SAML response assertion for your IdP includes a conditions element. 

The Assertion must include an AuthnStatement element

Ensure that the SAML response assertion for your IdP includes an AuthnStatement element. 

There is no AttributeStatement on the Response

Ensure that the SAML response assertion for your IdP includes an AttributeStatement element. 

There is an EncryptedAttribute in the Response and this SP not support them

Klaviyo does not support when an attribute is encrypted. Check the settings for your IdP and make sure no attribute is encrypted. 

The response has an empty Destination value

Go to your IdP and fill in the destination. Note that the name for this value may not be “destination,” as it varies. If you don’t see “destination,” look for other common names for this value: “Reply URL,” “ACS URL,” “Assertion Consumer Service URL,” “Trusted URL,” and “Endpoint URL.”

%s is not a valid audience for this Response

Make sure that the audience Id in your IdP matches exactly with the Audience URI (Service Provider Entity ID) provided in your SSO configuration panel, including the https:// prefix.

Invalid issuer in the Assertion/Response (expected %(idpEntityId)s, got %(issuer)s)

Make sure the IdP SSO URL field in the SSO admin panel matches with the SSO URL provided by your identity provider

The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response

Retry logging in. If that doesn’t work, extend the expiration window for your SAML response in your IdP, as it may be too short. 

A valid SubjectConfirmation was not found on this Response

Check the settings for your IdP and look for the subject confirmation method. Make sure it’s formatted correctly. 

The Assertion of the Response is not signed and the SP require it

Either 

  • Go to the SSO page for workspace and uncheck the box for Assertions Signed
    Or
  • Go to your IdP settings and turn on signing assertions of responses 

Contact your IdP if you need help. 

The Message of the Response is not signed and the SP require it

Either:

  • Go to the SSO page for workspace and uncheck the box for Responses Signed
    Or
  • Go to your IdP settings and turn on signing responses

Contact your IdP if you need help. 

No Signature found. SAML Response rejected

Check that the SAML message from your IdP is properly signed. 

Signature validation failed. SAML Response rejected

Go to your workspace’s SSO page and make sure the certificate matches the certificate sent from your IdP. 

SAML Response not found, Only supported HTTP_POST Binding

Check that your IdP is sending a HTTP_POST request. 

Additional resources

x
Was this article helpful?
0 out of 2 found this helpful