Introduction
This article will go over errors you may encounter after setting up HCP OIDC SSO with Azure AD and how to solve the issues. You can find our instructions on how to setup HCP OIDC SSO with Azure AD.
Problem
After setting up HCP OIDC SSO with Azure AD, you may run into this screen after entering your SSO email or after you have authenticated with your IdP.
Cause
The error is caused by
- A misconfigured Issuer URL
- A missing email property under the user profile in AAD
Solution
Issuer URL
Please ensure that you have the correct Issuer URL set in your SSO settings. The default Issuer URL looks similar to the following URL. Please replace AD_TENANT_ID with your "Directory (tenant) ID" in can find in your App registration Properties.
https://login.microsoftonline.com/AD_TENANT_ID/v2.0
An alternative way to retrieve the Issuer URL is to go to your App Registrations > Your App > Endpoints, copy the "OpenID Connect metadata document" URL, and paste this into your browser. The metadata that you are looking for is "issuer" value.
Set email property
HCP SSO requires the email claim in order to create HCP users when SSO is enabled. Please make sure that your user has the email property filled out with the email that should be used for sign in.