Skip to main content
All CollectionsPrivacy & SecuritySetting up SAML v2 SSOSSO Troubleshooting Guides
How to resolve the "SAML Unsupported" error when logging into Vitally Using Google SSO
How to resolve the "SAML Unsupported" error when logging into Vitally Using Google SSO

A guide outlining the causes and troubleshooting steps to resolve the "SAML Unsupported" error when a user logs in using Google SSO.

Ray avatar
Written by Ray
Updated over 2 months ago

Problem Description

The user is configured to use SSO in Google’s Admin Console but is encountering a SAML unsupported error when trying to log into Vitally via SSO. Why is this happening?

Potential Reasons for the Issue

  • User is incorrectly configured in Google Admin Workspace: The user has been set up in Google Admin Workspace but may be missing key configurations, such as custom attributes.

  • Vitally application is misconfigured in Google Workspace: The Vitally application for your Organization may not be properly configured for SSO. This could include issues like an incorrect ACS URL or Entity ID.

  • No available seats in Vitally: Your Vitally plan limits the number of available seats, and all seats may be occupied, preventing the addition of a new user.

Step-by-Step Solutions

Follow these steps below to resolve the issue:

1. Checking User Configuration in Google Admin Workspace

When Google SSO is configured for Vitally, user management is handled through Google Admin Workspace. Each time a user logs in, Google SSO sends a SAML payload to Vitally with key information, such as the user’s first name, last name, Vitally role, and job title.

To verify the user’s configuration in your Google Admin Workspace:

  1. Open Google's Admin Workspace and go to Menu > Directory > Users.

  2. Locate the user experiencing the issue and select their name to open their account page.

  3. Select User Information to review their details, and check Custom Attributes to see the attributes sent in the SAML assertion.

  4. Ensure the information is complete, particularly the vitallyRole attribute, which should contain one of the following values:

    • admin

    • leader

    • team

    • observer

  5. If the vitallyRole attribute is missing or unset, the Default role for new users value (as defined in Vitally > Settings > Account & Billing and by default is Team Member) will be applied to the new User.

2. Checking the Vitally App configuration within your Google Admin Workspace

To verify that the Vitally App is correctly configured in your Google Admin Workspace:

  1. In your Google Admin Workspace, navigate to the Menu > Apps > Web and mobile apps

  2. Select the "Vitally" app to view the configuration

  3. Ensure both the ACS URL and Entity ID are correctly configured by replacing yoursubdomain with your Vitally account’s subdomain.

    ACS URL

    • US: https://app.vitally.io/saml/yoursubdomain/assert

    • EU: https://app.vitally-eu.io/saml/yoursubdomain/assert

    Entity ID

    • US: https://app.vitally.io/saml/yoursubdomain/

    • EU: https://app.vitally-eu.io/saml/yoursubdomain/

    It’s essential to use the correct ACS URL and Entity ID to match your account’s region. Ensure the Entity ID ends with a forward slash ("/").

  4. Ensure that the Signed response box is checked

  5. Ensure the EMAIL is set as the Name ID format

3. Checking Seat (License) Availability in Vitally

To verify that you have enough seats available for the new User:

  1. In Vitally, navigate to Settings or search for Settings via Quick Jump Mac: ⌘ + J or Windows: Alt + J)

  2. Go to Account & Billing

  3. Scroll down to the Usage area where you will be able to see a panel for Full-Featured Seats showing the total seats used and available

  4. If you require a free seat, you can either:

    • Select Manage to add additional seats

    • Deactivate an existing Vitally user to free up a seat

Additional Tips

  • Check if there are available seats in Vitally by navigating to Settings > Account & Billing > Usage

  • Full-featured seats are users with either Admin, Leader, or Team Member roles. Users with the Observer role do not require a seat and should be created and able to log in without issue.

  • If all full-featured seats are in use, you have the following options:

    • Select Manage to add additional seats

    • Assign the User the Observer role, which doesn’t require a seat

    • Free up seats by deactivating existing Vitally Users

FAQ

Q: What role is assigned to a new user if the vitallyRole is not specified in the SAML assertion?

A: If no vitallyRole is provided in the SAML assertion for a new User, the default role set in Vitally will be assigned. You can find and adjust this setting by going to Settings > Account & Billing and updating the Default role for new users field.

Q: The user is correctly configured in Google Admin Workspace but isn’t appearing in Vitally. Why?

A: If all full-featured seats in Vitally are occupied and the SAML payload assigns the user an Admin, Leader, or Team Member role, the user won’t be created due to the lack of available seats.

Related Articles
SSO via Google
SSO via Okta
Did this answer your question?