This article provides guidance for customers who are experiencing issues with the single-sign on (SSO) functionality between their external AMS/CRM database and their Higher Logic environment.
NOTE: If your SSO functionality is "built-in" to your AMS/CRM, you should contact the AMS/CRM provider and work with them to troubleshoot and resolve your SSO issue.
Higher Logic is happy to work with you troubleshoot the issue but, in order to do so, requires some information. To help us investigate your SSO login issue, create a case with Higher Logic Support and provide the information that is outlined in this article.
TIP: Your cooperation and prompt responses better ensure that we can investigate your issue more quickly and work with you to resolve the issue.
User credentials
Valid user credentials are necessary for testing and troubleshooting, and are used exclusively for these purposes.
Having valid user credentials allows us to replicate the issue which is extremely valuable for debugging and testing potential fixes.
CAUTION: Do
not send actual active account passwords or sensitive credentials,
if possible.
If you do plan to send active account credentials, let us
know
in advance so that we can provide you with a secure
link in order to protect that data.
We recommend that you:
- Create a temporary test user account with appropriate access permissions for SSO troubleshooting.
- Assign the test user account to the SSO application in your Identity Provider (IdP).
Login page / URLs
In your request, include:
- The exact URL or link that you use to initiate the SSO log in.
- If your organization uses a custom subdomain or an SP-initiated URL, include that.
- Indicate any additional links/buttons to get to the Higher Logic pages.
Optional, helpful information
The following items have proven helpful for troubleshooting, but they are not required.
- a screenshot of or text of the error message that was encountered
- the date and time of the failed log-in attempt
- the IdP that is/was being used (e.g., Okta, Azure AD, Google Workspace)
Your Identity Provider
If you have contacted your IdP, in your request, let us know what transpired. Having this information can streamline troubleshooting, especially for configuration or metadata-related issues.
NOTE: We will use this information only to facilitate SSO issue resolution. We will not contact your IdP without your permission.
- What feedback or troubleshooting guidance, if any, did your IdP provide?
- Is there a technical contact at your IdP whom we can coordinate with? If so, provide that person's:
- name and
- email address (or their preferred contact method)
Your environment
It is helpful for us to know what has been going on in your environment. Having the following information could be beneficial and time-saving if we can more quickly target a "possible" cause.
In your request, let us know if any of the following have recently changed in your environment.
-
Identity Provider (IdP) configuration
(e.g., certificate rotation, metadata updates, SAML settings, attribute mappings, client secret, well-known data) -
Network infrastructure
(e.g., firewall rules, DNS changes, VPN settings, proxy updates) -
User or group assignments
(e.g., changes in role, user deactivation, reassignment of access policies) -
Timing-related issues
(e.g., time synchronization problems between IdP and application)
Sign-off
If your issue is with the "sign-off" procedure, in your request:
- Indicate the buttons or links that are used to log out.
- Indicate the behavior/landing page URL that is expected when the logout is complete.
Our commitment
Higher Logic is committed to the success of all of our customers and will work to minimize the duration of any disruption to your Higher Logic experience.
SSO support in Higher Logic
Higher Logic supports the following SSO methods only:
- OAuth
- OIDC
- SAML
If your integration uses an older SSO methods, Higher Logic encourages you to consider updating to one of these supported methods.
Higher Logic's SSO documentation is located in Registration & SSO.