This article covers the errors you may encounter when you set up Delegated Authentication in MyAccount.
Setup errors
Errors may occur during Delegated Authentication set up when:
- Creating or editing a connection
- Testing a connection
Once Delegated Authentication is set up successfully, users may encounter errors when they are signing in to Nearmap via the IdP. To resolve these errors, see Troubleshoot Login Errors.
Resolving issues related to creating/editing a connection
Problem: One of the following error messages is displayed: "Check that you've provided the correct WS-Federation Metadata url." or "Check that you've provided the correct SAML-P Metadata url."
Resolution:
- Check that the Identity Provider Metadata URL is correct.
- Allow the metadata URL to be accessed from the IP addresses listed for the United States region in IP Addresses for Allow Lists.
- Allow SSL secure renegotiation for the URL host; you can check this using online tools such as https://www.ssllabs.com/ssltest/analyze.html.
NOTE: When copying the Identity Provider Metadata URL check you've copied the correct URL from the IdP and have included any query parameters. Typical URL patterns for the most common IdPs are:
IdP | URL pattern |
|---|
AD FS | https://<My ADFS Domain>/FederationMetadata/2007-06/FederationMetadata.xml
|
Azure AD | https://login.microsoftonline.com/<Tenant
ID>/federationmetadata/2007-06/federationmetadata.xml?appid=<Application
ID>
|
Okta (WS-Federation) | https://<Tenant>.okta.com/FederationMetadata/2007-06/<Application ID>/FederationMetadata.xml
|
Okta (SAML-P) | https://<Tenant>.okta.com/app/<Application ID>/sso/saml/metadata
|
- For AD FS,
<My ADFS Domain>is the domain of your AD FS server. - For Azure AD,
<Tenant ID> and <Application ID> are GUIDs (UUIDs) with format 86102a89-f455-435d-b12a-fd30e45747a7 - For Okta,
<Tenant> is your tenant name; depending on your setup the URL may use your custom domain (eg okta.customer.com) or may use oktapreview.com instead of okta.com. <Application ID> is an alphanumeric string with format ex1a2b3c4d5e6f7g8h9i.
Resolving issues related to testing a connection
Error: Sign in to Nearmap not allowed
- If you see this error then we were not able to find an email address in the response from your IdP.
Resolution: Check that you have configured your IdP to send an email address according to the instructions in Supported Integrations.
Warning: Unable to automatically sign up new users
If you see this warning, the response from your IdP lacks information required to create a new user. This will prevent sign up via JIT provisioning, and prevent your users from signing up via invitations.
Resolution: Check that you have configured your IdP to send the first (given) name and last (family) name according to the instructions in Supported Integrations.
NOTE: If you are unable to resolve these errors, contact Nearmap Support.
Other issues
For other test problems, it's worth checking that the Identity Provider Metadata URL is correct (see above). The following advice may also be useful.
Problem: Clicking START TEST doesn't open the IdP sign-in page; instead it displays an error.
Resolution: Share a screenshot of the error with Nearmap Support.
Problem: You're unable to authenticate on your IdP sign-in page.
Resolution: Check that you've entered the correct credentials for the IdP. For example, you might have configured a connection to a test IdP rather than your production IdP.
Problem: After authenticating on your IdP sign-in page, you see an error page in the browser timeout, 404 Not Found, or other error).
Resolution: Share a screenshot of the error with Nearmap Support.
