Troubleshooting mobile single sign-on (SSO) errors

Edit online

As a user, you might encounter some errors during single sign-on to an application from your mobile device. Understand, isolate, and resolve the error. Some of the solutions might require assistance from the administrator. Administrators can also check for the suggested recovery actions.

Your authentication request might fail because of the following reasons:

The device does not have the correct MDM policy.

Explanation

The MaaS360® MDM profile on your mobile device does not have a registered single sign-on account.

User action
When you are prompted with the error message CSIAH1502E Please make sure that your device is enrolled in MaaS360 and has a valid client certificate. Contact your IT administrator for help., check if your mobile device contains the correct MDM policy by following these steps:
  1. Check the MaaS360 MDM profile on your mobile device.
  2. Open the General settings and check for a SINGLE SIGN-ON ACCOUNT.
  3. Open the account. It must contain the following information:
    Principal Name

    It is a user attribute that is read during user authentication. It must contain a value that follows the format in the example.

    Realm

    It is a service information that is needed for authentication. It must contain a value that follows the format in the example.

    URL PREFIX MATCHES

    It must list your Verify URL. For example, https://<host name>.verify.ibm.com.

    ELIGIBLE APP IDS

    It lists the bundle IDs of the applications that the Administrator allow-listed in the MDM policy. The application that you are trying to sign on to must be listed here.

    For example:
    MaaS360 MDM Profile

If you do not see a single sign-on account along with the specified parameters, contact your Administrator for further assistance.

Administrator action
Contact the MaaS360 Support team for further assistance. You might need to provide the Support team:
  • A screen capture of the single sign-on account and certificate.
  • The console logs from an iOS device or the MaaS360 agent logs from an Android device. The Support team can guide you on how to get these logs.

Certificate is corrupted.

Explanation

The certificate is corrupted. Either the certificate that is generated from the MaaS360 portal has errors or the MaaS360 certificate authority (CA) has issues.

User action
If the certificate label is disabled or when you are prompted with the error message CSIAH1502E Please make sure that your device is enrolled in MaaS360 and has a valid client certificate. Contact your IT administrator for help., check if your certificate is corrupted by following these steps:
  1. Check the MaaS360 MDM profile on your mobile device.
  2. Open the General settings.
  3. Under CERTIFICATE, verify that the certificate is issued by MaaS360GATEWAYCA [M1/M2/M3/M4/M5/M6].
    For example:
    MaaS360 MDM Profile
  4. Tap the certificate.
  5. Under EXTENDED KEY USAGE verify that the Purpose is Kerberos Client Authentication.
    For example:
    MaaS360 MDM Profile

If the certificate is not issued by MaaS360GATEWAYCA and the Purpose is not set to Kerberos Client Authentication, contact your Administrator for further assistance.

Administrator action
Contact the MaaS360 Support team for further assistance. You might need to provide the Support team:
  • A screen capture of the single sign-on account and certificate.
  • The console logs from an iOS device or the MaaS360 agent logs from an Android device. The Support team can guide you on how to get these logs.

Certificate is expired.

Explanation

The certificate on the device expired and a new certificate is not issued to the device.

User action
If the certificate label is disabled or when you are prompted that the certificate has expired, confirm the expiry date by following these steps:
  1. Check the MaaS360 MDM profile on your mobile device.
  2. Open the General settings.
  3. Under CERTIFICATE, verify that the certificate is issued by MaaS360GATEWAYCA.
    For example:
    MaaS360 MDM Profile
  4. Tap the certificate and confirm the expiry date. For example:

If the certificate is already expired, contact your Administrator for further assistance.

Administrator action
Contact the MaaS360 Support team for further assistance. You might need to provide the Support team:
  • A screen capture of the single sign-on account and certificate.
  • The console logs from an iOS device or the MaaS360 agent logs from an Android device. The Support team can guide you on how to get these logs.

The application does not belong to the allow-listed Apps.

Explanation

The MDM policy that is published on the device does not include the target application in the list of applications that can use single sign-on and conditional access on the managed device.

User action
When you are prompted with the error message CSIAH1502E Make sure that your device is enrolled in MaaS360 and has a valid client certificate. Contact your IT administrator for help., check whether the application is eligible to use single sign-on by following these steps:
  1. Check the MaaS360 MDM profile on your mobile device.
  2. Open the General settings.
  3. Open your single sign-on account.
  4. Verify that the ID of the target application is listed under ELIGIBLE APP IDS.
    For example:
    MaaS360 MDM Profile

If the application is not eligible, contact your Administrator for further assistance.

Administrator action
As the Administrator, access the MaaS360 portal and allowlist the app in an MDM policy for single sign-on and conditional access. Follow these steps:
  • In an iOS MDM policy, go to Advanced Settings > SSO Conditional Access. The workflow automatically completes the policy information when you enter a partial app name.
  • In an Android MDM policy, go to Single Sign on Settings > SSO Conditional Access. The workflow automatically completes the policy information when you enter a partial app name.
For example:
MaaS360 MDM Profile

The device did not receive the certificate pushed with the MDM policy.

Explanation

Either the policy or the certificate generator for the device failed on MaaS backend or device has not come online on MaaS to pick up the MDM policy.

User action
To verify whether the device received a certificate, follow these steps:
  1. Check the MaaS360 MDM profile on your mobile device.
  2. Open the General settings and check for a SINGLE SIGN-ON ACCOUNT.
  3. Under CERTIFICATE, verify that the certificate is issued by MaaS360GATEWAYCA.
    For example:
    MaaS360 MDM Profile

If the profile has no single sign-on account and no valid certificate, contact your Administrator for further assistance.

Administrator action

Confirm that the device view has an SSO certificate in the Certificates tab for the device.

For example:
MaaS360 MDM Profile

The iOS device was re-enrolled with MaaS360 but to a different user and the device was not re-started.

Explanation

The single sign-on (SSO) payload uses Kerberos SSO and authenticates user credentials only one time to grant access to apps on a managed device.

MaaS360 automatically pushes an SSO payload to a managed device. The payload contains a list of apps that use single sign-on. The SSO payload also contains Kerberos realm or service information that is needed for authentication.

MaaS360 also issues an Identity Certificate to a device from the MaaS360 certificate authority (CA). The provisioned Identity Certificate is used to authenticate the device to Verify. The certificate is unique to the user and the device.

User action
As the new owner of the enrolled mobile device, restart the device before you single sign-on to a mobile application. Restarting the device refreshes the SSO payload and identity certificate that are automatically deployed on the managed device.
Administrator action

None.