Single Sign-On (SSO) with Browser Extension Rollout can be a powerful way to enhance security and streamline access to various applications for users.
However, like any technology implementation, it can come with its own set of challenges.
General advice
ℹ️ Please make sure that all the data you implement is correct and has the right syntax.
Here are some common issues that organizations may encounter when using SSO with browser extensions:
Error Messages
Below, you will find error messages that could show when trying to authenticate a user via SSO.
You can test your SSO connection by using the "Test SSO" button in your Portal - User Single Sign On section.
| Invalid CompanyId |
|
| Invalid Signature |
|
| Error status Code 500 |
|
| PEM_read_bio_PUBKEY failed |
|
| Outdated certification |
|
| Invalid certificate format |
|
| 422 |
|
If the link opens the login page of your IDP and shows no error but you are still not authenticated (no Company User shown in the Userlane Portal), check the Entry Point URL, it usually should contain the word "SAML". Check the XML file for the right entry point URL.
Extension shows "Userlane not running"
Make sure your application is added as an underlying application
Ensure that your software is added to your Portal. Sign in to the Userlane Portal. Click the Application dropdown then select Settings > Application URLs.
Review setup and syntax for Browser Extension Policies
Make sure companyID, integrityToken and region are set up correctly for respective browser and use the right syntax.
How to check?
Do a right click on the Browser Extension. Click on Options.
Navigate to Managed Storage.
Here you can see what information is currently being passed on.
Review whether the data that is being passed on is correct.
If any of these values is marked in red, it means that there is an error, see example:
If there is no table visible, it means that the Browser was not configured yet.
You need to configure the Browser to install the Userlane Extension through the given options by the respective browser:
For any question regarding this, please reach out to your Userlane Customer Success Manager and IT team internally to confirm.
Content Security Policy
Should you have chosen Iframe as SSO Window Mode, it could be that your Content Security Policy does not support Iframes.
How to check?
Do a right click on the Browser Extension. Click on Options.
Navigate to Managed Storage.
Should that be the case, you will see a message similar to this:
In this case, please try using Inactive or Active Tab as alternative SSO Window Mode in the Userlane Portal > Browser Extension.
Review Browser Extension Policies Restrictions
If your IT has implemented restrictions on what URLs the Browser Extension is active, Userlane needs to be added to that URL list by adding *://*.userlane.com.
Review users have been added to your IDP
A user must be included in your IDP (e.g. Azure, ADFS, Google Workspace) and to any groups applicable in order to be authenticated and see Userlane content.
Users with multiple logins
The automatic authentication will only be successful if the User has just one login to the IDP.
With multiple logins, your application will first ask which to use for the authentication. Userlane would not show such prompt.
How to test: in the testing phase, please set the SSO Window mode to Active Tab in the Userlane Portal: Settings - Browser Extension. The authentication process will open a login page on your app.
If it lets you select which login to use, it means that Userlane will not be able to do automatic authentication with such user.
Roll out the extension only to users who are able to authenticate via SSO
If the extension is installed for a user who is not part of the AD group in your IDP, or a user who uses alternative browser profiles which would not allow an SSO authentication, then such users will get popup messages with an authentication error.
Make sure that your segmentation is set up
Make sure that the user profile you use in your application matches these segmentation settings and the user is supposed to see content.
Allow 3rd party cookies
Some browsers block 3rd party cookies by default, including the ones coming from Userlane. This will block some of the Userlane elements. You can check if this is the case by allowing all cookies in your browser settings (only for the sake of testing).
If this has solved the problem, you can put the following domains in your browser's "3rd party cookie allowed list"
- your app's domain you want to use Userlane on
- Userlane's domain [*.]userlane.com
After you added these domains, you can switch the main cookie setting back to default.
You may need to ask your colleagues in IT for help.
ℹ️ For more on enabling the third-party cookies, please review the links below for your browser: Google Chrome, Mozilla Firefox, Safari, and Microsoft Edge.
If none of the links above is beneficial for you, check the guidelines in the browser's help center.
As an alternative, there are extensions that allow third-party cookies. If you would like to use this solution, Userlane's underline application URLs should be added to those extensions.
Deactivate any Adblockers
Some adblockers can prevent any cookies collection. Allow Userlane for your adblocker or deactivate it.
Separate window opens asking to log in again and does not close automatically
Security Software blocks content or User is not connected to company's network.
Export Browser Extension logs
The Browser Extension allows you to check and export logs for troubleshooting. Send the export to the Userlane Support Team.
Here is a short instruction video:
