Troubleshooting Access Management

Below are common Access Management issues, their solutions, and links to other helpful resources.

For user management issues, see HelloID portal and user administration.

Incidents

Agent is down

Restart the Agent services.
Make sure the necessary domains are whitelisted.
Verify that the agent has been updated to the latest version. If necessary, Manually update an Agent.
Ensure the agent is running with a service account that has sufficient permissions. See Agent requirements.

Directory sync failed

Check the directory system itself and the HelloID Directory Agent service on the directory system. See Directory sync.

Certificate expired

Suggested action

On the Admin dashboard, go to

See

Update the certificate

Applications > Applications > Edit application > Configuration

Update an expired app certificate

App setup guides

Important

Replace the certificate before it expires.

SAML and WS-Federation-based Single Sign-On (SSO) applications may continue to function with an expired certificate, although this is not recommended. OpenID Connect, however, requires a valid (i.e., unexpired) certificate.

Depending on the supplier, the certificate might need to be added manually, or it may update automatically using metadata (a "well-known configuration" document), which is refreshed every few minutes or hours. If you only update the certificate in HelloID and not on the supplier's side, it may cause downtime for the SSO connection.

Common issues

An application is inaccessible

Access issues are often caused by problems with the web browser, device, or network.

Try opening the application from HelloID in a private browsing session (for example, Chrome Incognito or Firefox Private Browsing) and sign in. If the application now works, the issue is likely related to the user’s browser state (cookies/site data, cached sign-in, or an existing session). In that case, sign out of the target application and clear cookies/site data for the relevant domains (HelloID and the target application/IdP); then try again in a normal browser window.
On shared devices, cookies or active sessions from another account can interfere with SSO behavior. Consider using a separate browser profile (or a different browser) to prevent cross-account session interference.
For plugins, verify that users are logged in correctly on the SSO dashboard (the Applications page in HelloID).
Tip
Set the web browser's start page to the HelloID SSO dashboard (.../app/applications).

In HelloID, make sure the correct rights and attributes are available.

Suggested action

On the Admin dashboard, go to

See

Check the application access rules

Check which groups have access to the application

Check the application mapping set

Security > Policies > Application Access Rules

Applications > Applications > Edit application > Groups

Directory > Mapping sets

Application access rules

Grant a group access to an application

Application mapping sets

In case of a SAML, OpenID Connect or WS-Federation application, the problem may exist on the server.

Suggested action	On the Admin dashboard, go to	See
Check whether the certificate is still valid	Settings > Certificates > Show certificate usage in applications	View all active certificates

Note

Replacing a certificate often requires an action on the side of the supplier or application administrator. Many applications do not automatically reload a new certificate after it is changed in HelloID.

In some cases, an application can enter an infinite redirect loop, for example, when an app points to www.acme.com/saml, which then sends a request back to the HelloID application URL, which then contacts www.acme.com/saml, ad infinitum.

Suggested action	On the Admin dashboard, go to	See
Add an application shortcut	Applications > Applications > Open Application Catalog > click Add for Generic Shortcut	Application shortcuts

The use of licenses is exceptionally high

Note: By default, new applications are added to the Users group. This means the application can be assigned to all synced users, even if they do not use HelloID Access Management. This may lead to extra license costs, because each user uses a license as soon as the application is assigned.

Suggested action	On the Admin dashboard, go to	See
Verify that no application is accessible to all users	Applications > Applications > Edit application > Groups	Grant a group access to an application

In this section: