Introduction
This article will go over errors you may encounter after setting up HCP OIDC SSO with Entra ID and how to solve the issues. You can find our instructions on how to setup HCP OIDC SSO with Entra ID.
Problem
After setting up HCP OIDC SSO with Entra ID, you may run into this screen after entering your SSO email or after you have authenticated with your IdP.
Cause
The error is caused by
- A misconfigured Issuer URL
- A missing email property under the user profile in Entra ID
- Misconfigured claims in Attributes & Claims tab of the Entra ID app
Solution
Issuer URL
Please ensure that you have the correct Issuer URL set in your SSO settings. The default Issuer URL looks similar to the following URL. Please replace AD_TENANT_ID with your "Directory (tenant) ID" in can find in your App registration Properties.
https://login.microsoftonline.com/AD_TENANT_ID/v2.0
An alternative way to retrieve the Issuer URL is to go to your App Registrations > Your App > Endpoints, copy the "OpenID Connect metadata document" URL, and paste this into your browser. The metadata that you are looking for is "issuer" value.
Set email property
HCP SSO requires the email claim in order to create HCP users when SSO is enabled. Please make sure that your user has the email property filled out with the email that should be used for sign in.
Check Attributes & Claims
At minimum, there are two claims necessary for the SSO to work. One of them as mentioned in our official documentation is the emailaddress claim with user.primaryauthoritativeemail attribute.
The other one is the Required claim Unique User Identifier (Name ID) with the user.userprincipalname attribute