I am a Zivver admin
Configure and manage Zivver
Single Sign-On - Troubleshooting login problems with Entra ID
Introduction
Audience: Administrators who want to troubleshoot Single Sign-On (SSO) via Entra ID. This troubleshooting guide is useful if your organization uses Entra ID as the Identity Provider (IdP) to log in to Zivver with SSO. Read more about Single Sign-On
Prerequisites
- You are a Zivver administrator.
- You have access to and knowledge of Entra ID.
- You have configured SSO with Entra ID according to the configuration manual.
Read the Entra SSO configuration manual - You have access to the Zivver Synctool.
Generic troubleshooting - check this first
- Make sure the user has a Zivver account and that the Status is Active. Open the Accounts page in the Zivver WebApp.
- Use Google Chrome or Firefox, as these browsers are best for viewing SAML errors. Do not use Internet Explorer.
Error: “error” : “Required attribute ‘https://zivver.com/SAML/Attributes/ZivverAccountKey' is missing. Please map this attribute to a unique user-specific value that is not known by ZIVVER, for example ‘objectSid’ or another GUID.”
Problem
Logging in to Zivver via SSO returns the SAML error shown above.
Cause
This error can have the following causes:
- The ZivverAccountKey attribute claim was not set up correctly in the SSO application.
- The source attribute used in the ZivverAccountKey claim is misconfigured or empty. In practice, the empty source attribute mentioned above is most often caused by synchronization issues of the ObjectGUID between Entra ID and AD.
Solution
Possible fixes are as follows:
- Ensure the ZivverAccountKey claim is configured according to our documentation.
- Verify that the source attribute is set up correctly (not typed or copied from the manual). In hybrid environments, ensure that Entra ID Connect Sync is configured correctly and that the ObjectGUID extension attribute is included in the ZivverAccountKey attribute claim.
Problem: password required
When users log in with their Entra ID credentials, they encounter this notification in Zivver:
Password required
For “name@example.com”
Please enter your password in order to start using Zivver. You will only have to do this once.
This means that the Zivver password for this account is different from the password provided by Entra ID. Zivver requires the user’s Zivver password to connect it with the Entra ID credentials (workplace credentials). After connecting the two, users can log in with their workplace credentials instead of a Zivver password. There are five main causes for the notification above.
Cause - The User Principal Name is different from the primary email address
By default, Entra ID returns the User Principal Name (UPN) as the Unique User Identifier to Zivver. Zivver may prompt the user for a password if the primary email address differs from the UPN.
Solution
Configure the Entra ID Enterprise application for SSO in Zivver to use user.mail instead of user.userprincipalname as the Unique User Identifier:
- Go to https://portal.azure.com.
- Select Enterprise applications.
- Find and click Zivver in the list of Enterprise applications.
- Under Manage, click Single sign-on.
- At Attributes & Claims, click edit Edit.
- Click Unique User Identifier (Name ID).
- At Source attribute, select user.mail from the dropdown.
- Click Save.
Entra ID now returns the user’s primary email address instead of the UPN. The user can log in to Zivver at https://app.zivver.com without entering a Zivver password.
Cause - Account created before SSO implementation
The user created a Zivver account with a Zivver password. Examples include:
- Pilot users created accounts before SSO was enabled in Zivver.
- Users adopted free accounts in the WebApp. Free accounts have Zivver passwords that must be connected to workplace credentials at first login.
- Freemium accounts created before your organization claimed your domain. Freemium Zivver accounts always use a Zivver password.
Solution
If the user knows their Zivver password, they can enter it at the Password required prompt. This is a one-time action.
If the user does not know their Zivver password, an administrator can reset it in the Zivver admin panel:
- Log in to the Zivver WebApp.
- Click
Organization Settings. - Expand
User administration. - Click Accounts.
- Search for the specific user.
- Click .
- Scroll down to Security and login.
- Click .
- Enter the new password.
- Leave User should choose another password after the next login unchecked.
- Click .
Cause - Mismatch between passwords in Entra ID and AD on-premise
The password used to create the Zivver account does not match the password provided by Entra ID. The ZivverAccountKey used for account creation must be identical to the ZivverAccountKey in the Entra ID SAML response.
Solution
Ensure Synctool and Entra ID use the same attribute for the ZivverAccountKey:
- Synctool: Sources > Specific user source > Users.
- Entra ID: portal.azure.com > Enterprise applications > Zivver - Single sign-on > SAML-based sign-on.
NoteIn hybrid environments, Active Directory attributes can be used to create accounts in Synctool. Often, objectGUID serves as the ZivverAccountKey. Not all attributes are synced to Entra ID by default, so if objectGUID is used, it must be synchronized to Entra ID using Entra Connect Tool and the Synchronization Rules Editor.
Please contact support.
Cause - Account created before Zivver SSO configuration
Accounts created before SSO was enabled may have a temporary password. ZivverAccountKey must be updated for these users:
NoteSteps to update ZivverAccountKey in Synctool:
- Open Synctool.
- Select the profile used to create pre-SSO accounts.
- Expand
Syncing. - Click Synchronization Options.
- Check Update the password/accountkey for all users in local data.
- Click
Manual Synchronization. - Click .
- Click .
- Clear Update the password/accountkey for all users in local data under Syncing > Synchronization Options.
- Close Synctool.
After this, users who saw the Password required prompt should be able to log in.
Cause - Account created with temporary password
If Users log in via SSO was disabled in Synctool, accounts are created with temporary passwords. SSO users cannot use temporary passwords because passwords are managed by the Identity Provider.
Solution
Overwrite the ZivverAccountKey for affected users:
- Open Synctool.
- Select the profile for accounts with temporary passwords.
- Expand
Target (Zivver). - Select Connection.
- Enable Users log in via SSO.
- Expand Syncing.
- Click Synchronization Options.
- Enable Update the password/accountkey for all users in local data.
- Click Manual Synchronization.
- Click .
- Click .
- Disable Update the password/accountkey for all users in local data under Syncing > Synchronization Options.
- Click .
- Close Synctool.
Affected users can now log in.
AADSTS error codes
Entra ID has a large array of error codes that can be returned from the Security Token Service (STS). An Entra ID STS error code always has this format: AADSTS50105. The first part AADSTS stands for Azure Active Directory Security Token Service, the latter part (50105) is the actual error code.
For an example, refer to AADSTS50105 at login with Entra ID.
For a list of AADSTS error codes, refer to Microsoft’s AADSTS error codes document. The document contains description, fixes, and workarounds.
Still need help?
Did you find the information that solves your problem? If not, speak to Zivver support. Give this information:
- What error do you get in your browser when logging in to https://app.zivver.com?
- Password required
- An AADSTS error
- Something else, namely …
- Which email addresses are affected?
- Does SSO work for applications other than Zivver?
- Does SSO work on a different machine? For example:
- Local or virtual
- Different Virtual Desktop Infrastructure (VDI) sessions
- Are you using Entra ID in conjunction with AD on-premise?
You can attach this information to a support request.
Contact support