CoopAI

SAML SSO troubleshooting

Error codes, fixes, and known limits for Enterprise SAML single sign-on.

Last updated: 2026-07-15

Use this page when SAML sign-in fails in the admin portal or VS Code extension. For initial setup, see Single Sign On (SSO).

Error code reference

CodeHTTPWhen it appearsFix
missing_org400GET /v1/auth/saml/start without org or orgIdPass your organization name or org UUID. Name lookup is case-insensitive.
sso_not_configured409 / 403SSO start, callback, or enabling Require SSO before IdP is savedAdmin portal → Settings → Single sign-on → save IdP Entity ID, SSO URL, and signing certificate with SSO enabled checked.
plan_required403Non-Enterprise org attempts SSOUpgrade org to Enterprise. SSO is not available on Free or Pro.
saml_validation_failed401IdP callback after assertion validation failsCheck IdP cert expiry, server clock skew, Entity ID / ACS URL match, and signed assertions (SHA-256). Re-download cert from IdP.
sso_required403Password or Google login or refresh when org enforces SSOUse Sign in with SSO (extension) or Continue with SSO (admin portal). Existing SAML sessions stay valid; password/Google sessions were revoked when Require SSO was enabled.
sso_required_active400Disabling SAML or unchecking Enable SSO while Require SSO is onAdmin portal → Settings → Single sign-on → turn off Require SSO first, then disable SSO.
sso_unavailable503SSO stores not wired on this API deploymentCoop operator: ensure Postgres migrations applied and API rebuilt with SSO routes — Enterprise deployment
missing_saml_response400IdP POST to callback without SAMLResponseIdP misconfiguration or interrupted redirect — retry from Test connection.
missing_relay_state400Callback without org in RelayStateUse SP-initiated login from Coop (/v1/auth/saml/start or admin Test connection), not IdP-initiated flows without RelayState.
sso_login_failed502Error building IdP redirect URLCheck idpSsoUrl is reachable and valid HTTPS.
invalid_certificate400Saving SSO config with bad idpX509CertPaste PEM (-----BEGIN CERTIFICATE-----) or base64 from IdP metadata — not a Coop session token.
admin_required403Member calls GET or PUT /v1/sso/config, or PUT /v1/sso/policyOrg admin or owner must read or save SSO settings.
email_not_verified403Google sign-in when Google reports the email is unverifiedVerify the address in your Google account, then try again.
rate_limited429Too many login, register, forgot-password, or reset-password attemptsWait ~15 minutes (~20 attempts per IP+email), then retry.
unauthorized401Missing or expired bearer on protected SSO APISign in again; for automation use a valid org API key on Enterprise.

Browser sign-in surfaces redirect to your redirect URL with ?error=<code>&message=… when format=json is not used.

SP URLs unavailable

If the admin portal Settings → Single sign-on panel shows empty Entity ID, ACS URL, or metadata links, your Coop operator must fix server configuration — org admins and end users do not set this themselves.

Org admin: Reload Settings → Single sign-on after your operator confirms the fix. Success looks like populated SP fields and a working Test connection.

Coop operator: Set the public API base URL on the API server and restart. Full steps (env vars, Docker restart, post-deploy validation): Enterprise deployment — SAML SSO.

Self-hosted deployments must use HTTPS in production so IdPs accept the ACS URL.

Common IdP issues

SymptomLikely causeFix
Missing email in assertionNo email attribute mappedMap email / user.mail in IdP, or use email-format NameID
Cert expiredRotated IdP signing certRe-download cert from IdP; Save SSO in admin portal
Audience mismatchWrong SP Entity ID in IdPUse Coop Entity ID exactly (default: metadata URL)
ACS mismatchWrong Reply URLUse the Coop ACS URL from admin Settings → Single sign-on (hosted: https://api.coop-ai.dev/v1/auth/saml/callback)
Clock skewServer time driftSync API host NTP; default tolerance is 5 seconds

Known limits

LimitDetail
SP-initiated onlyNo IdP-initiated login — start from Coop (/v1/auth/saml/start, admin Test connection, or extension Sign in with SSO)
No SCIMNo IdP-driven user sync — JIT provisioning on first SAML login; offboard via admin Users or offboard API
No assertion replay cacheInResponseTo replay protection is disabled on multi-instance backends. Signature, audience, and NotBefore / NotOnOrAfter checks still apply.
API key bypass under requireSsorequireSso blocks password and Google sign-in and refresh. Org API keys (coop_…) still authenticate automation endpoints — rotate or revoke keys for offboarded users.
Shared SPOne Entity ID and ACS URL for all Enterprise tenants; org resolved via RelayState — each IdP app must use the same SP values.
No session refreshSAML sessions expire after TTL (default 12h); users re-authenticate through the IdP — no silent refresh token.
JIT default roleFirst SAML login creates a member user; promote admins in Users or pre-create accounts.
Marketing site has no SSOcoop-ai.dev/login does not offer SSO — use admin portal or extension only.
IdP cert storageX.509 signing certificates are stored in plaintext in org_sso_config (unlike encrypted OAuth integration tokens)