Troubleshooting SSO
Posted by Carlos Rios on 15 November 2017 02:52 PM


So, the biggest problem with the SSO integration is normally a local issues (on the customer side), there is a large range of different federation services.

We officially only support Active Directory Federation Services. But even in that area, the ADFS setup can be vastly different.

Experience has shown that many of the previous SSO issues occurred because of one of the following:

  • Their ADFS server communicates with our service over TLS. In order for this to properly work, their ADFS server needs to have a valid certificate, signed by a Certificate Authority, such as VeriSign…We do not allow self-signed certificates to be used
  • Misconfiguration on their Active Directory server. To mitigate this, Please ensure that the documentation was correctly followed. For example, using SHA-2 instead of SHA-1 will fail the communication.
  • Trying to authenticate against a user that does not exist in Reflexion. We had issues where a partner tried to authenticate with, but that user did not exist as a user in Reflexion.
  • Missing or/malformed metadata on the SSO page. Make sure that the metadata is there and looks well-formed and is enclosed in <EntityDescriptor>…</EntityDescriptor> tags.

I think if you can verify the above points, you can resolve most of the SSO integration issues. If none of the above works, you will need to create a ticket so that we can look into the logs.


ERROR: This domain name does not match domain registered in the license key file (, allowed domains:,localhost, please change the product path to match the domain under Admin CP > Settings > General Settings
This product will not work properly unless untill that value is changed.

For more information please contact Kayako support at