This article will guide you through troubleshooting issues with logging into Infinite Campus using Single-Sign-On (SSO) authentication.
Error: "Unable to logon" Message on Campus Login Screen After Logging into Identity Provider
Replication
When selecting the Single Sign-On button on the Campus login screen, I am successfully redirected to my Identity Provider's login screen. However, after completing the requirements on that screen, I am redirected back to the Campus login screen with a message of "Unable to log on, " and I am not logged into Infinite Campus.
Likely Cause
The SSO integration sends over a value for the person logging in—a nameID. That nameID value must correspond to an existing username in Infinite Campus. If it doesn’t, you’ll encounter this issue.
Most Identity Providers send over a nameID value of the full email address by default, but this is typically configurable. If you are unsure of the nameID being sent, see the Look Up the NameID value section below. If you know for sure what nameID value your Identity Provider is sending out, you can jump to the Resolving nameID/username mismatches section.
Look Up the NameID Value
To confirm the nameID value your Identity Provider is sending, you can look through the system's configuration screens for a nameID option or work with its support team.
You can also use a SAML-Tracer to confirm the nameID your Identity Provider is sending over:
- Install the web browser add-on SAML-Tracer: Chrome | Firefox
- Navigate to your Infinite Campus login page.
- Press Alt+Shift+S to open the SAML-Tracer window. (Or open it by selecting Extensions > SAML-tracer in your browser bar.)
- On your Infinite Campus login page, click the Single Sign-On button.
(You will be redirected to your Identity Provider’s login screen.) - Complete your Identity Provider’s login process.
(You will be redirected to Infinite Campus and will see the "Unable to login. (Show more)" error.) - In the SAML-Tracer window, select the Pause button (not the Clear button) to stop recording
(You will see activity has been recorded in the SAML-Tracer screen.) - In the recorded activity, focus specifically on the last item (furthest down) with an orange SAML label on the right.
- The method should be POST, and its URL will look something like https://yoursite.com/campus/SSO/yoursite/SIS/?idpEntityID=...
- Select the SAML tab.
Next, you want to search this SAML tab: - Press Ctrl+F to open the Find dropdown. Type in nameID-format
Finally, you should find an entry similar to this one:
The NameID attribute between the > and </ is the value that your Identity Provider is sending to Infinite Campus for this user. In this example, it’s "exampleuser@example.com", but it could be anything. Is this the value you were expecting to see here? If not, that’s the issue.
The value here is what I was expecting. So why am I getting this error?
See the Resolving nameID/username mismatches section below.
I did not find any NameID attribute
This indicates a configuration issue within your Identity Provider. This is something you’ll need to review in your Identity Provider configuration screens and/or make your Identity Provider’s team aware of.
The NameID attribute is not what I was expecting
Within your Identity Provider system, review the relevant configuration screen for the correct NameID-related preference. For guidance, follow up with your Identity Provider’s support team.
Resolving NameID/Username Mismatches
To follow these instructions, you will need to know the nameID value your Identity Provider is sending. See the Look Up the NameID value section above for assistance in finding the nameID.
Once you know what nameID value your Identity Provider is sending out for a user, make sure you have a valid Infinite Campus username that matches that value.
1. Review the Domain Suffix preference
In Infinite Campus, navigate to SSO Service Provider Configuration, select your SSO config, and expand Show Campus SSO Preferences.
If your Identity Provider sends out a nameID value that does not resemble a full email, ensure No Domain Suffix is selected.
If your Identity Provider does send out a nameID value (like exampleuser@example.com), consider your two options:
- No Domain Suffix - Use this when your Identity Provider sends over full email, and in Infinite Campus your district has decided the Campus username should also be full email (ex. exampleuser@example.com)
- Remove a Domain Suffix – Use this when your Identity Provider sends over full email, and in Infinite Campus your district has decided the Campus username should be email prefix only (ex. exampleuser). Enter the domain suffix (ex. example.com) into the provided field (without the @).
2. Confirm the username exists
Do a user search within Campus for whatever nameID value (or nameID prefix if you’re using Remove a Domain Suffix) your Identity Provider is sending over. Select the username that returns in the search results. If a matching username does not exist, you’ve identified the cause of the issue—a matching username needs to exist within Infinite Campus.
3. Confirm the username's Authentication Type is correct
For that username, confirm the Authentication Type dropdown is set to SAML. (If your site has multiple SSO configurations, make sure it’s set to the correct SAML option.)
If you continue to have issues but did not look up the nameID value to be sure your Identity Provider is sending what you assumed it’s sending, it’s possible your Identity Provider is not sending the nameID value you expect. See the Look Up the NameID value section.
If you continue to have issues, have an Authorized Support Contact submit a support ticket through their Support Portal.
