×

Want to Search?

Go here

Switch Language

English Nederlands

Contact Us

Get Help Give feedback

I am a Zivver admin

Configure and manage Zivver

Correct ZivverAccountKey from IdP

How do you know whether the identity provider (IdP) returned the correct ZivverAccountKey value?

Cause

When you create a Zivver account with the Synctool, a user attribute forms the basis of the ZivverAccountKey. In most cases, this is the Exchange attribute ExternalDirectoryObjectId. When you set up a single sign-on (SSO) link, the IdP must fetch the same ZivverAccountKey value. The SAML response to the service provider (SP) must also contain that same value. If the ZivverAccountKey at creation does not match the value in the SAML response, the user cannot log in directly. After entering their SSO credentials, the user will see: “Please enter your Zivver password once.”

Solution

Examine the SAML response

  1. Open Chrome.
  2. Install the SAML-tracer extension.
  3. Open the SAML-tracer extension.
  4. Go to https://app.zivver.com.
  5. Enter the email address of the affected user.
  6. Wait for the WebApp to redirect you to the IdP.
  7. Log in with the user’s workplace credentials.
  8. Wait until you see Please enter your Zivver password once.
  9. Switch back to SAML-tracer.
  10. Pause the SAML-tracer.
  11. Search for the line POST https://app.zivver.com/api/sso/saml/consumer/.
  12. Click this line.
  13. Select the SAML tab.
  14. Scroll down in the SAML view until you find the ZivverAccountKey. It looks similar to the snippet below:
<Attribute Name="https://zivver.com/SAML/Attributes/ZivverAccountKey">
    <AttributeValue>573457bc-697c-56db-953c-fz2951e9bcee</AttributeValue>
</Attribute>

Remarks

  • You can see which value is set for ZivverAccountKey:
    <AttributeValue>573457bc-697c-56db-953c-fz2951e9bcee</AttributeValue>.
  • You can check whether the value is correct by using Synctool > Sources > Specific user source > Data preview. The SsoAccountKey column shows the ZivverAccountKey.
  • Do not compare the value with the ObjectGUID in the AD Attribute Editor for this specific user. The Attribute Editor shows a “user friendly” ObjectGUID. You must compare it with the Base64 value of the ObjectGUID.

Next step

If the ZivverAccountKey does match, but the user still cannot log in because of the “Please enter your Zivver password once” message, you can update the ZivverAccountKey with the Synctool. Under Syncing > Synchronization Options, select the special option Update the password/accountkey for all users in local data.

For users with the correct ZivverAccountKey, this will not change anything, but you can optionally first set a source filter to only synchronize the affected user.

If the ZivverAccountKey does not match, you need to find out why. It may be that the Synctool is using the wrong attribute. In that case, you can change the mapping in the Synctool under Sources > Specific user source > Users. There, you can change the attribute that is mapped for ZivverAccountKey.

Another place where the incorrect attribute may be set is the Identity Provider, which might be returning the wrong attribute. In that case, you can change the attribute in the IdP settings to return the correct one.

Updated on 2025-10-09