ebs Microsoft Entra ID and Google Workspace Integration Troubleshooting
The following sections cover possible scenarios you may encounter when implementing an Microsoft Entra ID or Google Workspace integration within ebs:
Standard error page displayed without redirecting to an external authentication page
A standard error page is displayed following:
-
A delayed loading of an external provider login page
-
ebs: ontrack displays a standard error page without redirecting to an external authentication page
Check for a miss-configured Identity Server URL. Review the ontrack log folder to identify the root cause of the error. The following error suggests a problem navigating to the Microsoft Entra ID authentication page.
System error messages
System error messages include:
-
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. --->
-
System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. --->
-
System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found)
Confirm the correct URL has been entered for Microsoft Entra ID by browsing to <Identity Server URL>/.well-known/openid-configuration (for example: https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/.well-known/openid-configuration).
This will now produce a JSON document rather than a 404 error.
Successfully login to an Microsoft Entra ID account, but a 'Pick an account' error message is displayed
Successfully login to Microsoft Entra ID account, but the following error message is displayed:
This is a valid error message and will be displayed if trying to use a valid Microsoft Entra ID account to access a tenant that you are not authorised for (for example: a user from College X trying to access ontrack for College Y).
Successfully login to a Google account, but an 'Authorization Error' message is displayed
Successfully login to a Google account, but the following error message is displayed:
This is a valid error message and will be displayed if trying to use a valid Google account to access a client that you are not authorised for (for example: a user from College X trying to access ontrack for College Y).
Successfully login to an Microsoft Entra ID account, but an 'Need admin approval' error message is displayed
Successfully login to an Microsoft Entra ID account, but an error message like the following is displayed:
This message is displayed when an administrator has not granted permission for all users to use this application. Either grant permission in Microsoft Entra ID or log in as an administrator and Accept the consent on behalf of all users.
Successfully login to an Microsoft Entra ID account, but a 'Sorry, but we're having trouble signing you in' error message is displayed
Successfully login to an Microsoft Entra ID account, but an error message like the following is displayed.
Confirm the Redirect URL configured in Azure matches your website URL. Also ensure that the website is being accessed directly using https, as this error might be seen if using http (even if redirected to https).
Successfully login to an external account, but ontrack shows a standard error page
Successfully login to an external account, but ontrack shows a standard error page:
Review the ebs: ontrack log folder to identify the root cause of the error.
The signed in user '{EmailHidden}' is not assigned to a role for the application
The signed in user '{EmailHidden}' is not assigned to a role for the application.
This error indicates a valid user has tried to log in to an application for which they do not have a role in Microsoft Entra ID (for example: ontrack Hub has been configured in Microsoft Entra ID to only be accessible by named staff members, and a person not in this group has tried to log in).
OpenIdConnectMessage.Error was not null message is displayed
OpenIdConnectMessage.Error was not null, indicating an error. Error: 'unsupported_response_type'. Error_Description (may be empty): '<id>: response_type 'id_token' is not enabled for the application.
In Azure portal, ensure that ID tokens is selected in the Authentication\Implicit grant section.
ebs: ontrack Error: Underlying Rest service exception - Unauthorized(401) message is displayed
ebs: ontrack Error: Underlying Rest service exception - Unauthorized(401).
If an error like this is shown, then review the Web Services log folder for further details of the underlying REST error.
Web Services Error 'No claim name provided for ID token' message is displayed
The claim name identified here is the one configured in the OIDC reference data settings. The error suggests that the ebs configuration is incorrect. Check the “Default OIDC issuer” institution setting exactly matches the record created in OIDC Issuers reference data, and that the claim name property is populated.
Web Services Error 'Following Claim name: <propName> not found in IdToken' message is displayed
The claim name identified here is the one configured in the OIDC reference data settings. This error means that the IdToken retrieved from the external authentication provider does not contain a property with this name. Note that Microsoft Entra ID will not send a valid property that is not populated (for example: it either means the token does not contain this property, or the user does not have a value in it).
Fail to find any mapped user
Fail to find any user for the following mapping College Email => <forename>.<surname>@ebsTribalCollege.onmicrosoft.com.
This message will be shown if either a user with the matching element does not exist, or if the system matches more than one user back to the specified criteria. (for example: either there is no learner with this college email or there is more than one user with this email address).
You might encounter the following scenarios when Microsoft Entra ID or Google Workspace is used with OIDC authentication:
The database host, port or service name is incorrect error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the DatabaseServername is correct in the customer configuration file.
The database name is incorrect error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the DatabaseName or DatabaseType values are incorrect in the customer configuration file or in the shortcut parameters.
The OIDC configuration is missing error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if there are missing or incorrect client ID or ID token scope values in institution settings and/or reference data.
The incorrect role error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the user does not have the ebs Central User role.
The OIDC configuration is not provided error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the OIDC value is incorrect in the customer configuration file.
The authentication failed error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the user account is incorrect, not found or if multiple user accounts exist, or if the OIDC Issuer is incorrect in reference data.
The database refused credentials error message is displayed
You are attempting to log in, but the following error message is displayed:
This error message will be displayed if the ebsAuthPwd value is incorrect in the customer configuration file.