CAST HIGHLIGHT - SSO - SAML - How to solve incidents related to Single Sign On

When using SSO for login or when transitioning user registration from the Highlight triggered email invitation to registration using Single Sign On (SSO) issues may occur.  To solve incidents related to SSO usage when SAML is the protocol follow the below Action Plan..

Action Plan

When having issues in Highlight with Single-Sign on (SSO) using the SAML protocol please check the following points. Note that Users will be transitioned automatically when logging in from Credential users to SSO users. Please refer CAST Highlight SAML/SSO Integration with Identity Providers (IdP).

  1. Confirm with an Active Directory client (like AD Explorer - that the user is part of the group which is authorized to use Highlight.
  2. Ensure that AD groups contain the Highlight user role which is case sensitive.
  3. Make sure that each user is only part of one HL AD user group.
  4. Check if the user created has the following attributes hl.firstname, hl.lastname,hl.role,hl.subdomain( the subdomain integer is optional , otherwise all operations are root domain wise)

  5. Ask the user to check with their IT group for any issues with proxy settings or browser redirection.
  6. If the user is getting an error "Error Unexpected System Error, Sorry for the inconvenience. Please contact your administrator for assistance and provide the reference number below to help locate and correct the problem." then please ask the user to contact their System/Network admin to solve the issue as it might not be an Highlight related error.
  7. Confirm that Cookies are not disabled in the browser.
  8. If the issue is suspected to be due to SAML when using CLI, please note that, SAML works only with portal's user authentication, not CLI.  API and CLI accesses must use a classic CAST Highlight user account with credentials.
  9. If there is an access issue for an user having Application Contributor role and the role is not attached to any application as Contributor, then as a workaround, change the role of the user to Domain Contributor. 
  10. If you are getting the error "401 Unauthorized for SAML login" while trying to login then please refer CAST HIGHLIGHT - SSO - Login - 401 Unauthorized for SAML login
  11. If the user is found to get the error "Local entity is not the intended audience of the assertion in at least one AudienceRestriction" while logging in, then check whether 
        1.  User has imported the SP_Metadata file on their IDP side. For this the Portfolio Manager has to go to COMPANIES > SAML Management > SP metadata
        2.  The value for "sp.entity_id" in saml.realms.yml  in CAST side is  "<myalias>" ( myalias can be either company id or company name). The  entityid in SP_Metadata  at client side should be matching. 
        3. In the SAML response if there are any extra character in the URL like additional slashes, it should be removed.

NB: Instead of rpa use the appropriate server name like app, cloud etc . 


If the above solutions do not resolve your problem, then please open a support ticket for assistance with  confirmations about the following:

  • Is this an issue with just a single user or multiple users?
  • Does this happen for everyone in a certain group?
  • Users are attached either to the root domain configured for the client or in a explicit subdomain in SAML attributes. Check whether the subdomain hierarchy is set before attaching users.
  • Is this happening for multiple groups?
  • Are other LDAP or SAML type applications working on the same system for the people who are having problems?
  • Are all user roles having this issue or just the ones which have certain role (like application contributor)?
  • Are there any issues with the certificate being used for SSO/SAML? For eg: If the certificate has changed, then the metadata may need to be reimported.
  • Is there any change in the SHA hashing algorithm for eg from  SHA  to SHA256? 
  • Is there any migration from one IDP to another?


NB :

  • If user is deleted : when connecting via SAML, user will again be recreated.  If user is removed from LDAP group then user won't be able to connect.
  • SAML users won’t be able to change their password for Higlight as this information is managed by users IdP
  • Portfolio Managers can now invite users as SAML users and Portfolio Managers can decide to restrict user invites to SAML users only.
  • As soon as a user connects to CAST Highlight by using SAML login, the corresponding user is created in CAST Highlight with a “Connect Only” role as no role is defined in the IdP.

  • Credential users are automatically changed to SAML users when authenticating with SSO (assuming the user has the same email address/login  in the idP).
  • CAST Highlight Portfolio Managers can now integrate user authentication with their identity provider on their own, directly from the user interface. Please refer CAST Highlight fall 2023 release  
  • SAML/SSO users need not  log in through a dedicated URL for SAML now. Please refer CAST Highlight summer 2023 release 

Related Articles

CAST Highlight SAML/SSO Integration with Identity Providers (IdP)

CAST HIGHLIGHT - Web - Login - SSO - 401 Unauthorized for SAML login


26551, 25820, 26263, 25993, 26947. 26360, 29135, 28436, 30131, 32974, 33788,  39654, 41775, 45396

Have more questions? Submit a request


Powered by Zendesk