Troubleshooting Common SSO Errors

This guide explains common single sign-on (SSO) issues in Coalesce and how to fix them. It covers configuration errors, network restrictions, OAuth integration problems, and user management issues.

Before You Begin

Before troubleshooting, ensure you have:

• Administrative access to your identity provider.
• Coalesce admin privileges.
• Network configuration details from your IT team.

Common SSO Configuration Issues

SSO Button Not Appearing

What You'll See:

• No SSO button visible on login page.
• Users see only standard login form.

Why This Happens:

• Incomplete or incorrect SSO configuration.
• Using wrong login URL.
• Missing required configuration fields.

Solutions:

• Correct the Subdomain Field

  Incorrect: https://yourorg.app.coalescesoftware.io/
  Correct: yourorg

• Use the Correct SSO URL

  • Access format: https://mySubdomain.<app_domain>
  • Example: https://hello.app.coalescesoftware.io/login
  • Test in incognito or private browser tab

• Check that these fields are properly configured

  • Authority
  • Subdomain
  • Authorization Server
  • OIDC Client ID
  • Server-Side Authorization

• Clear Browser Cache

  • Use incognito or private browsing mode
  • Clear browser cache and cookies
  • Ensure correct regional URL (US vs APAC environments)

SSO Button Appears Greyed Out

What You'll See:

• SSO button is visible but disabled or grayed out.

Solution:

Access Coalesce through your organization's subdomain URL rather than the generic login page:

Use: https://yourorg.app.coalescesoftware.io
Not: https://app.coalescesoftware.io

Missing Identity Provider Settings

Common Issues:

• Missing Microsoft Graph API permissions in Azure app registrations.
• Incorrect authorization server URLs or redirect URIs.
• Extra spaces or characters in configuration fields.

Solutions:

• Ensure these permissions are granted
  • Profile
  • Email
  • OpenID
• Check Redirect URIs
  • Ensure exact match for example: https://yoursubdomain.app.coalescesoftware.io/login/callback, https://yoursubdomain.app.eu.coalescesoftware.io
• Validate Configuration Fields
  • Remove extra spaces or characters
  • Confirm admin consent is granted for API permissions

Network and Authentication Problems

Snowflake Network Policies Blocking OAuth Redirects

What You'll See:

• SSO login fails during Snowflake OAuth process.
• Network policy errors in Snowflake logs.

You can either:

• Associate Network Policy with OAuth Security Integration

  ALTER SECURITY INTEGRATION <oauth_integration> 
  SET NETWORK_POLICY = <oauth_network_policy>;

• Create Integration-Specific Network Policy

  CREATE SECURITY INTEGRATION oauth_kp_int
  TYPE = oauth
  ENABLED = true
  OAUTH_CLIENT = custom
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = 'https://example.com'
  NETWORK_POLICY = mypolicy;

Additional Steps:

• Add Coalesce IP addresses to network policy (region-specific).
• Check if policy is applied at user, account, or integration level.
• Recreate security integration if policies were applied after creation.

Network Security Tools Interfering

What You'll See:

• SSO flow interrupted or fails
• Network security tool blocks OAuth requests

Solutions:

• Add Coalesce domains and IP addresses to security tool's allowlist.
• Configure tool to allow OAuth redirect flows for Coalesce domains.
• Test using incognito/private browsing mode.
• Work with your IT team to whitelist OAuth endpoints and callback URLs.

Private Link Configuration Issues

What You'll See:

• Authentication fails when using private link.
• SSL/TLS certificate errors.

Solutions:

• Verify correct private link URL in SSO configuration.
• Update OAuth security integration redirect URIs for private link endpoints.
• Ensure private link DNS resolution works correctly.
• Check SSO provider configuration matches private link subdomain.
• Test with public endpoint first, then migrate to private link.

OAuth Token and Integration Issues

Expired OAuth Refresh Tokens

What You'll See:

• Users must re-authenticate frequently.
• "Token expired" errors.

Solutions:

• Check Token Validity Settings

  -- Check current setting in Snowflake (default is 90 days)
  SHOW PARAMETERS LIKE 'OAUTH_REFRESH_TOKEN_VALIDITY';

• Implement Retry Mechanisms

  • Add retry logic in job schedulers
  • Consider switching to key pair authentication for environments

• Re-authenticate Users

  • Disconnect and reconnect OAuth credentials in Coalesce
  • Guide users through fresh authentication flow

Invalid OAuth Security Integrations

What You'll See:

• OAuth integration errors in Snowflake.
• Authentication failures using the integration.

Solutions:

• Verify Integration Configuration

  DESCRIBE SECURITY INTEGRATION <integration_name>;

• Recreate Integration

  • Create new OAuth security integration with correct parameters.
  • Verify client ID and secret match between Snowflake and Coalesce.
  • Ensure redirect URI matches Coalesce callback URL exactly.
  • Confirm integration is enabled.

User Management Problems

Multiple Accounts for Same Person

What You'll See:

• User has both SSO and non-SSO accounts.
• Permission conflicts between accounts.

Recommended Approach:

• Disable non-SSO account for daily operations.
• Transfer project memberships and permissions to SSO account.
• Document account usage purposes.

Users Created Outside SSO Protocols

What You'll See:

• Users bypass SSO during account creation.
• Inconsistent user attributes.

Solutions:

• Verify SSO configuration before creating users.
• Ensure users access correct SSO-enabled subdomain.
• Check identity provider configuration for user attributes.
• Delete incorrectly created users and redirect through proper SSO flow.

Multi-Factor Authentication and SSO

Sign-in problems that mention MFA can come from Coalesce, your identity provider, or your warehouse. Separating those paths saves time.

Coalesce MFA Versus Identity Provider MFA

Coalesce MFA is configured under User Settings > Account and Security and applies only when someone logs in with a username and password in the Coalesce App. Full steps are in Multi-factor Authentication.

If you use SSO, your identity provider usually prompts you for MFA, not the Coalesce MFA toggle. If MFA prompts fail when you use SSO, review policies and enrollment in Okta, Microsoft Entra ID, or your other provider with your IdP administrator.

If Snowflake requires MFA for warehouse access, use OAuth with Coalesce as described in Multi-factor Authentication.

Access Tokens After MFA Changes

When MFA is turned on or off for an account, existing access tokens stop working. Issue a new token using Deploy Page.

SCIM and Catalog Provisioning

The SCIM guides under User and Team Provisioning sync Catalog users and teams. They don't create Coalesce Transform logins ahead of time.

Coalesce Transform still relies on just-in-time creation when someone signs in with SSO for the first time, as described in Single Sign-On. If every other SSO check passes but Catalog is missing people or teams, use SCIM Provisioning Troubleshooting together with SCIM Setup for Microsoft Entra ID or SCIM Setup for Okta.

General Troubleshooting Steps

Initial Diagnostics

• Browser Testing
  • Clear browser cache and cookies for both Coalesce and identity provider.
  • Test in incognito/private browser window.
  • Try different browsers.
• Network Verification
  • Check with your IT team about network policies blocking OAuth flows.
  • Verify the account has correct permissions in the identity provider and Coalesce.
  • Test from different network locations if possible.
• Configuration Validation
  • Verify all configuration fields are correctly entered.
  • Check for extra spaces or special characters.
  • Confirm redirect URIs match exactly.

Best Practices

• Account Management
  • Maintain at least one non-SSO admin account as backup.
  • Use service accounts for API integrations.
  • Document account purposes and usage.
• Regional Considerations
  • Use correct regional IP addresses based on Coalesce instance location.
• Testing Protocol
  • Always test SSO configuration in staging environment first.
  • Use incognito/private browsing for testing.
  • Test with multiple user accounts and roles.

When To Contact Support

• Configuration appears correct but SSO still fails.
• Deleted SSO users need manual re-enablement.
• Network policy changes don't resolve OAuth issues.
• Multiple troubleshooting attempts haven't resolved the problem.
• MFA works in the IdP but Coalesce access tokens broke after an MFA toggle.
• Catalog SCIM sync fails after you verified URLs and assignments with your provider.

Information to Include:

• Specific error messages
• Organization details and subdomain
• Identity provider type and configuration
• Network environment details
• Steps already attempted

Contact support

Contact Coalesce support.

Quick Reference Checklist

Before Opening Support Ticket:

• Verified subdomain configuration is correct.
• Tested with incognito/private browser.
• Checked all required SSO configuration fields.
• Confirmed network policies allow Coalesce IP addresses.
• Validated identity provider permissions and settings.
• Confirmed whether the issue is Transform SSO login, Coalesce password MFA, IdP MFA, or Catalog SCIM.
• Tested with correct regional URL.
• Attempted browser cache clearing.
• Verified redirect URIs match exactly.

---

What's Next?

• Single Sign-On
• Multi-factor Authentication
• User and Team Provisioning
• SCIM Provisioning Troubleshooting
• Network Requirements
• Role-Based Access Control
• Manage Users
• If you can access the SSO button but see a blank or frozen screen after login, see Troubleshooting Browser Login Issues.

---