User not assigned access to login
When a user tries to sign in, they may receive an error message that the administrator has configured the Cheqroom application to block users unless they are specifically granted (‘assigned’)
This is most likely because you’ve turned on User Assignment and have not provided this user with permissions. You can resolve this by turning off User Assignment in your identity provider (so that all users can access applications), or by assigning permissions to the user. Refer to your identity provider’s documentation for detailed instructions on assigning users to an app, listed below:
Okta: User is not assigned to this application
Microsoft Entra ID: AADSTS50105: Your administrator has configured the application Cheqroom to block users unless they are specifically granted ('assigned') access to the application
Onelogin: You do not have access to this application
Google: Service is not enabled for this user
App not configured for user
This error occurs when attempting to login into Cheqroom while another Google account is already signed in in the browser. In most cases you will probably be logging in with your personal gmail address instead of your work address.
This issue can be resolve in several ways:
Sign out of Google in the browser to ensure no Google accounts are active. Go to google.com and click in to top right on the profile picture and then choose Sign out of all accounts
If you are using Google Chrome, you can click on the user icon in the top right and switch to your work profile
User’s name is showing email
We will fallback to showing email as a user’s name in case we don’t get a valid Name, First name and/or Last name mapping value from the IdP or if no mapping was configured for one of these fields.
To resolve this issue, please make sure your SSO Attribute Mappings are configured correctly for either:
Name
First name/Last name
Role with id <value> not found
The connection test result fails with invalid value issue for Role mapping. This is caused because the <value> your IdP is returning for role isn’t a valid role id.
To resolve this issue, please make sure you are returning valid role values from your IdP. See Configure how roles are managed for SSO
User group with id <value> not found
The connection test result fails with invalid value issue for User group mapping. This is caused because the <value> your IdP is returning for user group isn’t a valid user group id.
To resolve this issue, please make sure you are returning valid user group values from your IdP. See Configure how User Groups are managed for SSO
Missing email value
The connection test result fails with missing value issue for Email mapping.
To resolve this issue, please make sure that:
The mapping value you entered as claim value for the email mapping is correct in Cheqroom. Please double-check for typos, as they are quite common.
Your IdP is returning a claim that matches the claim value you have configured in Cheqroom.
Invalid custom field value
Depending on the type of custom field you are using you can get an invalid value issue when using a custom field mapping.
You can get more details about the invalid value issue by hovering the invalid value badge:
Custom fields types:
Dropdown List
When your IdP returns a value that isn’t defined yet as one of the possible options of the dropdown list you will get an invalid value error.
To resolve this issue, you need to update the custom field and make sure the custom field options includes the value that is being returned by your IdP.
Email
When your IdP returns a value that isn’t a valid email you will get an invalid value error.
To resolve this issue, you need to update the claim mapping in your IdP and make sure you are returning valid email as claim value that you mapped to your Email custom field.
Hyperlink When you IdP returns a value that isn’t a valid url you will get an invalid value error.
To resolve this issue, you need to update the claim mapping in your IdP and make sure you are returning a valid url as claim value that you mapped to your Hyperlink custom field.
Round Number/Decimal Number
When you IdP returns a value that isn’t a valid number, an invalid value error is returned.
To resolve this issue, you need to update the claim mapping in your IdP and make sure you are returning a valid number as claim value that you mapped to your Round Number/Decimal Number custom field.
Date
When you IdP returns a value that isn’t a valid date you will get an invalid value error.
To resolve this issue, you need to update the claim mapping in your IdP and make sure you are returning a valid date as claim value that you mapped to your Date custom field.
Name ID value was not found in SAML Assertion
The connection test result fails with Invalid SAML response received: NameID value was not found in SAML Assertion. This is because your IdP doesn’t include NameID in the SAML response which is required.
To resolve this, check the attribute mapping on your IdP and make sure NameID is returned in the SAML response.
Invalid samlResponse or relayState from identity provider
If you receive the error message "Invalid State/RelayState provided" while attempting to log in to your SSO account, it usually means an IdP-initiated login attempt has occurred. Cheqroom only support SP-initiated SSO, which requires all logins to be initiated from Cheqroom login page: https://login.cheqroom.com.
Common Causes of This Error:
Testing SSO connection in your IdP
Some identity providers (e.g., Azure, Okta) offer a Test SSO Connection feature during SSO setup. However, this test often initiates an IdP-initiated login, which Cheqroom does not support.
Instead, use one of the following options:
Test SSO Connection in Cheqroom Use the built-in Test Connection feature in the Cheqroom SSO configuration panel.
Login Directly Through Cheqroom Try logging in via the Cheqroom login page: https://login.cheqroom.com.
Cheqroom app tile shown on user dashboard in IdP
A lot of identity provider (e.g, Okta, OneLogin, …) allow you to display applications that a user has access to on their dashboard. However, this test often initiates an IdP-initiated login, which Cheqroom does not support.
Because Cheqroom doesn’t support IdP-initiated login, you will need to hide the Cheqroom application and ask them to via the Cheqroom login page: https://login.cheqroom.com.
Note: Clicking the Cheqroom app tile in Okta will trigger an IdP-initiated SSO login which we don’t support
Note: Clicking the TEST SAML LOGIN button in Google will trigger an IdP-initiated SSO login which we don’t support
Note: Clicking the Cheqroom app tile in OneLogin will trigger an IdP-initiated SSO login which we don’t support
Some Identity Providers (f.e Okta) provide a way to get around this. Please see our detailed instructions to configure Okta.
An error was encountered with the requested page
If your URL looks like https://<your_unique_id>.auth.us-west-2.amazoncognito.com/saml2/logout, then this means a logout request (SLO) has been attempted for a given user but the IdP wasn’t able to find back the login session, this can happen when IdP restarts because configuration changed and your user session are stored in memory and not in an actual DB.
There are several ways to resolve this issue,
you can close this window an try again
don’t return SingleLogoutService anymore in your idp-metadata.xml, this will us from triggering SLO endpoint