Resolve Common Errors

This section describes how errors display and how to resolve common issues.

Global Errors

When an environment is enabled for OneStream IdentityServer, generic messages about unrecoverable issues display on a Global Error Message page on a banner at the top of the screen.

For example: Our system encountered an error. Contact your administrator for more information.

The global home page has a black banner at the top with the OneStream logo. The error message has a pink background with red text.

These issues can range from network and other communication problems to system configuration errors. Administrators resolve these issues. Other errors may display that are specific to how an environment is configured for user authentication, such as the number of external IdPs used. For example, this error could indicate that the service provider entity ID URL is incorrect. The service provider entity ID URL both in the Identity & Access Management Portal and configured on the external identity provider must be an exact match, including capitalization.

Single External IdP Configuration

If you use one IdP, the Global Error Message page with a banner at the top of the screen may also display errors related to a user's authentication.

For example, if a user authenticates through their IdP but is not a valid OneStream user or has a disabled user account, the following error displays: Your account has been disabled in OneStream, please contact your Administrator.

The global home page has a black banner at the top with the OneStream logo. The error message has a pink background with red text.

Multiple External IdP Configurations

If you use multiple IdPs, the Login dialog box may display errors and warning messages related to login and application access issues.

For example: Application access denied because user account is not found or has been misconfigured. Contact your system administrator.

The Login dialog box has a black banner at the top with the OneStream logo. The error message at the bottom of the dialog box has a pink background with red text.

Common Errors

This section identifies how to resolve common errors you may encounter during OneStream IdentityServer and IdP configuration or at login.

Disabled Accounts

Error message: Your account has been disabled in OneStream, please contact your Administrator.

The Login dialog box has a black banner at the top with the OneStream logo. The error message at the bottom of the dialog box has a pink background with red text.

This error indicates that a user has valid IdP credentials or a token, but their user account in OneStream was manually disabled or disabled due to inactivity.

To resolve this issue, enable the user account.

See Managing Users in the Design and Reference Guide.

User Account Does Not Exist in OneStream

Error message: Application access denied because user account is not found or has been misconfigured. Contact your system administrator.

The Login dialog box has a black banner at the top with the OneStream logo. The error message at the bottom of the dialog box has a pink background with red text.

This error indicates that a corresponding user account must be created in OneStream and configured for OneStream IdentityServer.

To resolve this issue, create a user account and configure it for OneStream IdentityServer.

See Creating Users in the Design and Reference Guide and How Users are Configured for Authentication.

Native Login Not Enabled

Error message: Native login is not enabled.

The Login dialog box has a black banner at the top with the OneStream logo. The error message at the bottom of the dialog box has a pink background with red text.

This error indicates that native login is not enabled for the user account.

To resolve this issue, submit a Support ticket requesting environment-specific support for native authentication. Environments must be initially configured for native authentication before you can use native login capabilities. Then, enable the user account for native authentication. See How Users are Configured for Authentication and Native Authentication.

Another User is Logged In

Error message: Another user is already logged into the application on this client. That user must log out of their external identity provider before you can log in.

The global home page has a black banner at the top with the OneStream logo. The error message has a pink background with red text.

This error indicates that a valid SSO token is being used by another user, which conflicts with the external username that you specified when logging in.

To resolve this issue, the other user must log out of their IdP and clear cookies.

User Must Reset Password

Warning message: Your password is no longer valid. Reset your password.

The Login dialog box has a black banner at the top with the OneStream logo. The warning message at the bottom of the dialog box has a yellow background with black text.

This warning indicates that a password has expired or has updated security requirements.

To resolve this issue, the user must reset their password.

User Is Not Configured to the External IdP

Error message: access_denied User is not assigned to the client application.

The global home page has a black banner at the top with the OneStream logo. The error message has a pink background with red text.

This error indicates that the user attempting to log in with OIS is not configured to the external IdP.

NOTE: This error message is provided by the IdP, so it might be different for each IdP.

To resolve this issue, see How Users are Configured for Authentication.

External IdP has an Expired Certificate

Error message: An error has occurred with the authentication certificate(s). Please contact your System Administrator for support.

The global home page has a black banner at the top with the OneStream logo. The error message has a pink background with red text.

This error indicates that the encryption certificate or signing certificate for the external IdP is expired.

To resolve this issue, upload a valid certificate for the external IdP in the Identity & Access Management Portal. See Manage SAML 2.0 Identity Providers.

An IdP is Unavailable in User Authentication Settings

All properly configured IdPs should be available in System Security as External Authentication Providers options, as shown in the following image. You can customize External Authentication Provider labels to make them more intuitive.

The System Security user configuration page has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. Under the Authentication row heading, the External Authentication Provider drop-down menu is selected displaying the available options for this example.

If an IdP does not display, check the configuration in the Identity & Access Management Portal. See Identity Providers. Contact Support or the Cloud Operations team if needed.