| Federated ID provided by SAML assertion doesn't match our records. |
Federated ID of the user who's trying to login via SSO is not registered in Zuora. |
Correctly enter the federated ID of this user in Zuora as described in
Enable SSO for a Zuora User. |
| Incoming SAML message is invalid: Validation of protocol message signature failed. |
Okta metadata has not been uploaded by Zuora.
|
Contact Zuora and check if the correct metadata is being uploaded on the Zuora side. |
|
An invalid Name ID or Default username setting was specified in the Okta SAML settings.
|
Notify your Okta admin to check and update the Okta SAML settings as specified in Configure Okta for SSO SAML. |
HTTP Status 401
Authentication Failed |
The response issue time is either too old or in the future. |
Set the clock to the atomic clock.
|
|
You must use Single Sign-On to log in to Zuora.
|
An SSO-enabled user tries to log directly into Zuora application without going through the identity provider. |
The user must log in from the identity provider log-in page. |
|
Your user account is not enabled to use Single Sign-On.
|
A user who is not SSO-enabled in the Zuora application tries to log into Zuora from the identity provider login page. |
Enable SSO for this user in the Zuora application. |
|
Your Zuora tenant is not enabled to use Single Sign-On.
|
In Zuora, the tenant is not provisioned to use SSO. |
Contact Zuora to enable SSO for this tenant. |
|
SAML error: User is inactive.
|
The user has been de-activated in the Zuora application. |
N/A |
|
Original password is not correct. Please reapply or email to support@zuora.com.
|
An SSO-enabled user tried to change the password in the Zuora application. |
SSO-enabled users should not use the Change Password page in the Zuora application to change their password.
If a user wants to use the Zuora local login, the user should contact the tenant admin.
|
| Attempted to log into the wrong tenant. |
This error message only applies when your identity provider is Okta.
The federated ID was used in this SAML requests was mapped to the different Zuora tenant.
|
Check and use the federated ID associated with the Zuora tenant and the Okta identity provider. |
|
SAML error: Your SAML IdP doesn't match our records. Please contact the administrator at your company for help.
|
Changes in your identity provider settings invalidated the identify provider's metadata in Zuora. |
Contact Zuora and check if the correct metadata is uploaded in Zuora.
If necessary, re-submit the correct metadata file to Zuora and wait for a notification before allowing your users to login via SSO.
|
| SAML certificates or metadata mismatch between your identity provider and Zuora. |
| Your identity provider metadata is missing. This can be caused by a number missteps or internal errors. |
