File IQ Single Sign-On (SSO) Troubleshooting

Check Name

Failure Type

Description

Nasuni File IQ Single Sign-On Configuration

WARNING

The health check should pass, but display an INFO message stating that SSO is not enabled.

Nasuni File IQ Single Sign-On health check

ERROR

File IQ Single SSO will perform a connection test with the provider and indicate either a success or an error.

Note: If SSO is not enabled, the health check displays the same warning as the configuration check.

Error Message

Possible cause

Resolution

Okta validation failed

Okta redirect URL is not set correctly.

You must access the Okta Admin Console and configure the redirect URL with the Nasuni File IQ FQDN. Also, ensure that all users connect to the Nasuni File IQ appliance with the FQDN, not the IP address.

Expected sign-in redirect URI is: https://<FILE_IQ_FQDN>:3000/login/okta

For more information, see: https://developer.okta.com/docs/guides/sign-into-web-app-redirect/main/

Okta validation failed with status code 401: Invalid value for Client ID or Tenant ID parameter

The provided Client ID or Tenant ID is incorrect in the Nasuni File IQ SSO Configuration.

1. Verify that the Client ID and Tenant ID configured in the Nasuni File IQ SSO settings match the values in the Okta application settings.

2. Check for typos or missing characters in the credentials.

3. Ensure the Okta application is correctly assigned to the users attempting to log in.

Okta validation failed with status code 401: The client secret supplied for a confidential client is invalid.

The Client Secret provided in the Nasuni File IQ SSO Configuration is incorrect or does not match the value configured in Okta.

1. Verify the Client Secret:

   • Go to the Okta Admin Console → Applications → Select your application.

   • Navigate to Client Credentials and ensure the Client Secret matches the one configured in Nasuni File IQ SSO Okta configuration settings.

2. If necessary, regenerate the Client Secret:

• If unsure, regenerate a new Client Secret in Okta and update the Secret Value in the Nasuni File IQ Single Sign-On configuration UI.

Okta validation succeeded during setup, but user cannot log in.

The Nasuni File IQ SSO Test Configuration button returns a successful test, but the Nasuni File IQ user can still not log in to Nasuni File IQ Dashboard.

User not assigned to the Okta application or incorrect role or group mapping

User not assigned to the Okta application.

• Ensure the user is assigned to the Okta App Integration configured for Nasuni File IQ Dashboard.

• In the Okta Admin Panel, go to Applications → Select the Nasuni File IQ App → Assignments and verify the user is listed.

Incorrect Role or Group Mapping

• Verify that the user belongs to the correct Okta groups required for Nasuni File IQ Dashboard access.

• Check the role mapping settings in Nasuni File IQ SSO Okta configuration.

• If using group-based access control, ensure the group names in Okta match those in the Nasuni File IQ SSO Okta configuration.

Users can define which Okta groups are allowed to log in by setting the File IQ SSO setting, for example:

• Allowed Group = Admins, Developers, SupportTeam

• This means that only members of these groups (Admins, Developers, SupportTeam) can log in to Nasuni File IQ Dashboard. Users outside these groups will be denied access. Nasuni File IQ SSO maps all the users to the Viewer role.

Check the Nasuni File IQ Dashboard logs for more information.

Page not found message when trying to log in to Nasuni File IQ Dashboard

The sign-in/sign-out redirect URL is incorrect in the Okta Admin Console.

Review the configured URLs in the Okta Admin Console. Also, ensure that all users connect to the Nasuni File IQ appliance with the FQDN, not the IP address.

Login failed. User not a member of one of the required groups

OpenID Connect ID Token Group claim not configured correctly.

User not assigned to the Okta application.

• Ensure the user is assigned to the Okta App Integration configured for Nasuni File IQ Dashboard.

• In the Okta Admin Panel, go to Applications → Select the Nasuni File IQ App → Assignments and verify the user is listed.

Incorrect Role or Group Mapping

• Verify that the user belongs to the correct Okta groups required for Nasuni File IQ Dashboard access.

• Check the role mapping settings in Nasuni File IQ SSO Okta configuration.

• If using group-based access control, ensure the group names in Okta match those in the Nasuni File IQ SSO Okta configuration.

Users can define which Okta groups are allowed to log in by setting the File IQ SSO setting, for example:

• Allowed Group = Admins, Developers, SupportTeam

• This means that only members of these groups (Admins, Developers, SupportTeam) can log in to the Nasuni File IQ Dashboard. Users outside these groups will be denied access. Nasuni File IQ SSO maps all the users to the Viewer role.

Check the Nasuni File IQ Dashboard logs for more details.

OAuth validation error: HTTPSConnectionPool(host='mycompany.okta.com', port=443)

This error means that the Filer IQ cannot reach the identity provider (Azure AD or Okta) over the network. The most likely cause is that outbound firewall rules are blocking access to required endpoints.

To resolve this issue, ensure the Filer IQ has outbound access to the identity provider over port 443 (HTTPS). This typically involves updating firewall rules to allow communication with Azure AD or Okta endpoints such as login.microsoftonline.com or *.okta.com. DNS resolution (port 53) must also be permitted to resolve these domains. If the environment uses a proxy, ensure proxy settings are correctly configured and the identity provider domains are not blocked.

Error Message

Possible cause

Remediation

Validation failed for the provided input in the Nasuni File IQ User Interface.

Ensure all fields meet the required format and constraints.

1. Incorrect Format

2. Unexpected Characters

1. Incorrect Format: Ensure that:

   1. Application ID and Tenant ID are valid UUIDs (e.g., xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

   2. Client Secret follows the expected format (typically a long alphanumeric string).

2. Missing or Empty Fields: Double-check that none of these fields are empty or incorrectly populated.

3. Unexpected Characters: Ensure no extra spaces, line breaks, or hidden characters are included.

OAuth validation failed with status code 400: unauthorized_client - AADSTS700016

Application with identifier <IDENTIFIER> was not found in the directory 'MyCompany'.

This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

• The Client/Application ID provided in the Nasuni File IQ SSO configuration is incorrect or does not match the value configured in Microsoft Entra ID.

• Application ID is incorrect or not registered.

• The application is not assigned to the tenant.

• Admin consent is required, but not granted.

• Invalid redirect URIs.

Application ID Is Incorrect or Not Registered

1. Go to Microsoft Entra ID Portal: https://entra.microsoft.com.

2. Navigate to: Microsoft Entra ID → App registrations.

3. Search for the Application ID, for example: (04fa61a5-e54b-4c06-90fd-b9711a613c43).

If it’s not found, ensure you are in the correct tenant (check the directory switcher at the top-right). If missing, re-register the application.

The Application Is Not Assigned to the Tenant

If the application exists but is not assigned to the <Customer> directory:

1. Go to Enterprise Applications in the Microsoft Entra ID portal.

2. Locate the application and verify it is assigned to the correct users or service principals.

If it’s missing, you might need to re-register the app in the correct tenant.

Admin Consent Is Required

If the application requires admin consent, contact an administrator to grant the consent.

Verify Redirect URIs

In the App registration settings, go to Authentication → Check Redirect URIs.

Ensure the URI matches the one Nasuni File IQ Dashboard uses (e.g., https://FILE_IQ_FQDN/login/azuread) Also, ensure that all users connect to the Nasuni File IQ appliance with the FQDN, not the IP address.

OAuth validation failed with status code 401: invalid_client - AADSTS7000215

Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to the app.

• The client secret provided in the Nasuni File IQ SSO configuration is incorrect or does not match the value configured in Microsoft Entra ID.

• Ensure you use the Client Secret value, not the Client Secret ID.

• Verify that the Client Secret has not expired.

• Verify that the application has the right permissions.

Ensure you use the client secret value, not the Client Secret ID.

In Microsoft Entra ID, when you create a Client Secret, you get:

• Client Secret ID: This is a reference and cannot be used for authentication.

• Client Secret Value: This is the secret used in authentication.

To confirm the correct value:

1. Go to Microsoft Entra ID → App Registrations → Select your application.

2. Navigate to Certificates & Secrets.

3. Check if you're using the Client Secret Value.

If you don't have the value (it is hidden after creation), generate a new client secret and update it in the Nasuni File IQ Entra ID SSO configuration.

Verify that the Client Secret has not expired.

To verify the Client Secret is active:

1. Go to Microsoft Entra ID → App Registrations → Select your application.

2. Navigate to Certificates & Secrets → Client Secrets.

3. Check the expiration date of your secret.

If expired, generate a new client secret and update Grafana.

Verify That the Application Has the Right Permissions

If the application is missing API permissions, the authentication might fail.

To ensure the correct permissions:

1. Go to Microsoft Entra ID → App Registrations.

2. Select your App → API Permissions.

3. Ensure Microsoft Graph has the User. Read permission.

4. (Optional) Click Grant Admin Consent if necessary.

OAuth validation failed with status code 400: invalid_request - AADSTS90002

Tenant 'xxxx' not found. Check to ensure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator; this might happen if there are no active subscriptions for the tenant.

The Tenant ID provided in the Nasuni File IQ SSO configuration is incorrect or does not match the value configured in the Microsoft Entra ID.

• Verify that the Tenant ID is correct.

• Check if you are using the correct authentication endpoint.

• Verify that the tenant exists and is active.

• Check if the application is assigned to the correct tenant.

Verify That the Tenant ID Is Correct

The Tenant ID must match the one assigned to your Microsoft Entra ID organization.

To confirm the Tenant ID:

Go to Microsoft Entra ID: https://entra.microsoft.com.

1. Navigate to Microsoft Entra ID → Overview.

2. Copy the Directory (Tenant) ID.

3. Update your Nasuni File IQ SSO Configuration Tenant ID configuration with the correct value.

Verify the Tenant Exists and is Active

If the tenant has no active subscriptions, it might not be accessible.

To verify the tenant:

1. Log in to Azure Portal: https://portal.azure.com.

2. Navigate to Microsoft Entra ID → Licenses.

3. Check if there is an active subscription.

4. If no subscriptions exist, you might need to reactivate the tenant.

Check If the Application is Assigned to the Correct Tenant

If the application was registered in a different Azure AD Tenant, you must use the correct Tenant ID for authentication.

To check if the application is assigned to the correct tenant:

1. Go to Microsoft Entra ID → App Registrations.

2. Select your application and check the Tenant ID.

3. Ensure this matches the Tenant ID in the Nasuni File IQ SSO Configuration UI.

Entra validation succeeded during the Nasuni File IQ SSO setup, but the user cannot login

Allowed groups might not be configured.

Configure Allowed Groups

Microsoft Entra ID groups can be used to limit user access to the Nasuni File IQ Dashboard. For more information about managing groups in Microsoft Entra ID, see Manage Microsoft Entra groups and group membership.

To limit access to authenticated users who are members of one or more Entra ID groups, set Allowed Groups to a comma- or space-separated list of group object IDs in the Nasuni File IQ SSO configuration.

To find object IDs for a specific group on the Azure portal, go to Microsoft Entra ID Manage Groups.

Find a group's Object ID by clicking the group and clicking Properties. The object ID is listed under Object ID. For example, to give access only to members of the group with an Object ID of 8bab1c86-8fba-33e5-2089-1d1c80ec2343d, set the following in the Nasuni File IQ SSO Entra configuration: Allowed Groups = 8bab1c86-8fba-33e5-2089-1d1c80ec267d.

Nasuni Sign-in error page displayed when user logs in to Nasuni File IQ Dashboard

The sign-in/sign-out redirect URL is incorrect in the Microsoft Entra ID Admin User Interface.

Fix the Redirect URLs in the Microsoft Admin UI. Also, ensure that all users connect to the Nasuni File IQ appliance with the FQDN, not the IP address.

Error “AADSTS900971: No reply address provided” displayed when user logs in to Nasuni File IQ Dashboard

The Graph API Permissions were not properly granted in the Microsoft Entra ID Admin User Interface.

Check the “Configure the Required Graph API Permissions in the Azure Portal” section in the File IQ Single Sign-On (SSO) document, especially the last step about Granting admin consent.

OAuth validation error: HTTPSConnectionPool(host='login.microsoftonline.com', port=443)

This error means that the Filer IQ cannot reach the identity provider (Azure AD or Okta) over the network. The most likely cause is that outbound firewall rules are blocking access to required endpoints.

To resolve this issue, ensure the Filer IQ has outbound access to the identity provider over port 443 (HTTPS). This typically involves updating firewall rules to allow communication with Azure AD or Okta endpoints such as login.microsoftonline.com or *.okta.com. DNS resolution (port 53) must also be permitted to resolve these domains. If the environment uses a proxy, ensure proxy settings are correctly configured and the identity provider domains are not blocked.

Provider

Resource

Microsoft Entra ID

Problems signing in to SAML-based Single Sign-On configured apps

Microsoft Entra ID

Plan a single sign-on deployment - Microsoft Entra ID

Microsoft Entra ID

Microsoft Entra authentication & authorization error codes - Microsoft identity platform

Okta

Build a Single Sign-On (SSO) integration | Okta Developer