Sometimes users attempting to SSO into our application will fail because they do not have a tenant_id assigned. A tenant ID is the unique identifier given to each company in our platform and all users must have one to know where to authenticate to.
Typical situation
A user attempts to SSO into our application and receives a login error. Let's hop into auth0 to see what's going on.
Auth0 Steps
- In the left-hand menu expand User Management and then click Users.
- Search for the user in question
- Click the user, then click History. You will likely see a series of Failed Logins and Success Logouts:
- Click one of the Failed Login errors. "Cannot read property 'includes' of undefined" indicates the user does not have a tenant_id assigned.
- On that same user navigate to the Details tab to confirm our suspicions. app_metadata is empty and therefore the user is orphaned and without permissions, roles, or a tenant ID.
- Find a healthy user and copy their app_metadata. Depending on if this user is an Admin or a Participant will dictate which app_metadata we will copy. Let's assume that this situation involves a Customer Admin. The image is the app_metadata of a healthy Customer Admin user. Copy all of it and paste it into the errored user's app_metadata, but don't save just yet, we need to find their tenant ID and replace that value we copied over!
Finding the tenant ID
- Navigate to the training platform and search for the company in question. Hit F12 to open developer tools, click the Network tab, then click the company.
- Once the company page has completely loaded you can click the red dot to stop recording network traffic. Search for tenant_id in the filter box and there should be a few entries referencing that ID.
- Double-click one of the entries and it will open a new tab with that URL. Simply copy the end of the URL containing the tenant ID.
- Overwrite the tenant ID you copied with the one you found and Save.
Note: Reindexing may need to occur before this change is locked into place. Consult with a member of the engineering team on making your change immediate.
Why does this happen?
My suspicion is that either the user has not been manually imported yet or there is no company to authenticate to yet. If an SSO attempt occurs before the user is imported or before the company is created, it can cause tenant ID or merge issues, all resulting in failed logins.