CAST HIGHLIGHT - SSO - SAML - How to solve incidents related to Single Sign On

When using SSO for login or when transitioning user registration from the Highlight triggered email invitation to registration using Single Sign On (SSO) issues may occur. To solve incidents related to SSO usage when SAML is the protocol follow the below Action Plan.

Action Plan

When having issues in Highlight with Single-Sign on (SSO) using the SAML protocol

  1.  In the transitioning stage of user registration from the Highlight triggered email invite to SSO, do the following steps to clear up any user issues in the database. If the user is already registered in Highlight through the traditional  mode then detach the user first before proceeding with SSO registration.
      1. Detach the user in Highlight. Please also check CAST HIGHLIGHT - Web - User Administration - How to detach an user account from the portfolio 
          1. If it is confirmed that the user exists in the database , but the user is not  visible for the portfolio manager in the MANAGE USER view then ask the portfolio manger to re-invite the user in Highlight. Then detach the user once again. User should ignore the invitation mail. 
          2. Please note that, If the user is an application contributor before detaching ensure that all the application contributor links to the applications are removed first.
      2. Re-invite the user using SSO. Please follow the steps mentioned in User Workflow for inviting the user using SSO.
  2. Confirm with an Active Directory client (like AD Explorer - that the user is part of the group which is authorized to use Highlight.
  3. AD groups must contain the Highlight user role which is case sensitive.
  4. Each user must only be part of one HL AD user group.
  5. Ask the user to check with their IT group for any issues with proxy settings or browser redirection.
  6. If the user is getting an error "Error Unexpected System Error, Sorry for the inconvenience. Please contact your administrator for assistance and provide the reference number below to help locate and correct the problem." then please ask the user to contact their System/Network admin to solve the issue as it might not be an Highlight related error.
  7. Confirm that Cookies are not disabled in the browser.
  8. If the issue is suspected to be due to SAML when using CLI, please note that, SAML works only with portal's user authentication, not CLI
  9. If there is an access issue for an user having Application Contributor role and the role is not attached to any application as Contributor, then as a workaround, change the role of the user to Domain Contributor. 


If the above does not resolve your problem, then please open a support ticket for assistance with the above steps and results as well as confirmations about the following:

  • Is this an issue with just a single user or multiple users?
  • Does this happen for everyone in a certain group?
  • Users are attached either to the root domain configured for the client or in a explicit subdomain in SAML attributes. Check whether the subdomain hierarchy is set before attaching users.
  • Is this happening for multiple groups?
  • Are other LDAP or SAML type applications working on the same system for the people who are having problems?
  • Are all user roles having this issue or just the ones which have certain access (like application contributor)?
  • Are there any issues with the certificate being used for SSO/SAML? For eg: If the certificate has changed, then the metadata may need to be reimported.
  • Is there any change in the SHA hashing algorithm for eg from  SHA  to SHA256? 

NB : If user is deleted : when connecting via SAML user will again be recreated.  If user is removed from LDAP group then user won't be able to connect.

Related Articles

CAST Highlight SAML/SSO Integration with Identity Providers (IdP)

CAST HIGHLIGHT - Web - Login - SSO - 401 Unauthorized for SAML login

CAST HIGHLIGHT - SSO - SAML - Report could not be downloaded from the email received


26551, 25820, 26263, 25993, 26947. 26360, 29135, 28436, 30131, 32974, 33788,  39654

Have more questions? Submit a request


Powered by Zendesk