Zoomed Image
USA
800 691 9120
UK
01225 704844

SSO Troubleshooting

xAssets Configuration Guide
Single Sign-On

SSO Troubleshooting

If SSO login fails, xAssets displays an error message that identifies the point of failure. This page lists all SSO error messages, explains their causes, and provides steps to resolve them.

Prerequisites

  • SSO enabled (see SSO Introduction and Setup)
  • Access to the xAssets instance with the ?logondirect=direct bypass if SSO login is completely broken

Error Messages

Error Message Cause Action
Redirect database not set The OAuth2 callback was received without a prior redirect to the identity provider. This is a security check that prevents direct access to the callback URL. Ensure users are accessing xAssets through the correct URL. This may indicate a bookmark pointing to an intermediate URL, or a direct access attempt bypassing the SSO flow.
Redirect database not valid The callback attempted to connect to a different database than the one used before the redirect. This prevents cross-database token replay attacks. Verify the redirect URI configuration in your identity provider matches your xAssets instance URL exactly, including the database path.
IP address check failed The IP address on the callback does not match the IP address recorded before the redirect. This commonly occurs with load balancers, proxies, or VPN connections that change the client IP between the initial request and the callback. Check your network configuration and ensure the user's IP appears consistent from xAssets' perspective.
400 Bad Request An unexpected fault in the authentication process, typically related to a corrupted or expired authentication script file. Check the integrity of the encrypted authentication script file on the application server. If the file is missing or corrupted, re-save the AUTHENTICATIONID setting to regenerate it. Contact xAssets support if the issue persists.
404 Page not found The authentication script file cannot be found on the application server. Verify the authentication script file exists in the expected location. Re-save the AUTHENTICATIONID setting to regenerate it.
A cross site scripting security violation was detected A user's existing authentication token was presented from a different address, security scheme, port, or server than where it was originally issued. The user should close all browser windows and log in again from the correct URL. This can also occur if a user has xAssets open in multiple tabs with different URLs.

Provider-Specific Errors

Errors from the identity provider itself (e.g., Azure, OKTA, Duo) may also occur. These typically indicate:

  • The application registration is misconfigured in the provider's admin console
  • Required scopes or permissions have not been granted
  • The redirect URI does not match exactly
  • The user is not assigned to the application in the provider

Check the provider's admin console and compare the configuration against the provider-specific page in this chapter.

General Troubleshooting Steps

If the error message does not clearly indicate the cause:

  1. Try the direct login bypass by navigating to https://your-instance/a.aspx?logondirect=direct. If this works, the issue is with the SSO configuration, not with xAssets itself.

  2. Check the credential pack -- ensure the domain, username (client ID), and password (secret) are correct and have not expired. Client secrets in Azure AD have expiration dates.

  3. Check the redirect URI -- the URI configured in the identity provider must match the xAssets URL exactly, including the protocol (https), domain, and path (/a.aspx).

  4. Check user assignment -- in some providers (OKTA, OneLogin), users must be explicitly assigned to the application before they can log in.

  5. Check the SSOADMIN account -- if the user can authenticate but gets an error after returning to xAssets, the SSOADMIN account may be missing or not in the Admins group.

  6. Check the Batch Service -- if first-time users experience long delays or timeouts, the Batch Service may not be running, preventing account auto-creation.

  7. Review browser network traffic -- use the browser's developer tools (F12 > Network tab) to see the full redirect flow and identify where it fails.

Tip: When troubleshooting SSO, always use a private/incognito browser window. Cached tokens and cookies from previous sessions can mask or cause issues.