SSO Issues

"SSO configuration not found"

• Verify your email domain is added and verified in Settings > SSO
• Check that the domain DNS TXT verification record is in place
• Ensure SSO is toggled to Active (not just configured)

SAML Validation Failed

Certificate mismatch

• Re-download the IdP certificate from your identity provider
• Paste the full PEM certificate (including -----BEGIN CERTIFICATE----- headers)
• Some IdPs rotate certificates — check if yours has changed

Audience restriction error

• Ensure the IdP is configured with the correct SP Entity ID: https://vulk.dev/api/auth/sso/metadata

Clock skew

• VULK allows up to 5 minutes of clock skew between your IdP and VULK servers
• If your IdP server clock is off by more than 5 minutes, assertion validation will fail

OIDC "Token exchange failed"

• Verify the Client ID and Client Secret are correct
• Check that the Issuer URL is the base URL (e.g., https://your-org.okta.com), not the well-known endpoint
• Ensure the redirect URI https://vulk.dev/api/auth/sso/callback is registered in your IdP

Users Not Being Created

• Check that Auto-Provisioning is enabled in SSO settings
• Verify the user's email domain matches a verified domain in your SSO config
• Check the audit log for SSO-related errors

"Invalid state" Error

This means the SSO session expired or was tampered with. SSO sessions are valid for 10 minutes. If the user takes too long at the IdP login page, they need to start the SSO flow again.