Troubleshoot SSO and SAML login errors in 15Five

Ben Pemstein Ben Pemstein
· Updated

This article covers login errors that occur after SAML SSO is configured in 15Five, including 403, 422, AADSTS error codes, ADFS Transform rule failures, and subdomain misconfiguration errors.

Diagnose

Check 1: 403 error on login → How to check: User attempts SSO login and sees a 403 or 400 permissions error. → If true: The user is not assigned to 15Five in the IdP, or the email in the IdP does not match the email in 15Five. Go to Fix 1. → If not: Continue to Check 2.

Check 2: 422 error on login → How to check: User attempts SSO login and sees a 422 error indicating misconfiguration. → If true: SAML attributes are not mapped correctly in the IdP. Go to Fix 2. → If not: Continue to Check 3.

Check 3: AADSTS50105 error (Azure AD) → How to check: User sees error code AADSTS50105 in the browser. → If true: The user is not assigned to the 15Five app in Azure AD. Go to Fix 3. → If not: Continue to Check 4.

Check 4: AADSTS750054 error (Azure AD) → How to check: User sees error code AADSTS750054 in the browser. → If true: The Sign-on URL in Azure AD is incorrect. Go to Fix 4. → If not: Continue to Check 5.

Check 5: AADSTS650056 error (Azure AD) → How to check: User sees error code AADSTS650056 in the browser. → If true: The Entity ID in Azure AD does not match the 15Five metadata URL. Go to Fix 5. → If not: Continue to Check 6.

Check 6: "This subdomain is not configured for SAML2 authentication" error → How to check: User sees this exact error message when attempting SSO login. → If true: The subdomain contains uppercase letters, spaces, or special characters. Go to Fix 6. → If not: Continue to Check 7.

Check 7: ADFS attributes not passing to 15Five → How to check: User logs in via ADFS but no user attributes update in 15Five. → If true: Claim rules on the ADFS side are missing or misconfigured. Go to Fix 7. → If not: Continue to Check 8.

Check 8: ADFS error when attributes appear to match → How to check: ADFS returns an error even though attribute values look correct. → If true: The Transform rule for NameID is missing or incorrectly configured. Go to Fix 8. → If not: Contact 15Five Support with a copy of the SAML response and your attribute mappings.

Fix

Fix 1: 403 error — user not authorized

  1. Open your IdP and locate the user's profile.
  2. Confirm the email address matches exactly what is in 15Five.
  3. Assign the user to the 15Five app in your IdP.
  4. Ask the user to attempt login again.

Fix 2: 422 error — attribute misconfiguration

  1. Open your IdP's attribute mapping configuration for 15Five.
  2. Verify the Name ID Contents field is set and mapped to a valid attribute.
  3. Confirm the Email attribute name field is filled in.
  4. If Name ID Contents is set to Not Used, fill in the Employee ID attribute name field.
  5. Save the attribute mappings in your IdP.
  6. Ask the user to attempt login once to populate attributes.

Fix 3: AADSTS50105 — user not assigned in Azure AD

  1. Open the Azure AD portal and navigate to Enterprise Applications.
  2. Select the 15Five application.
  3. Go to Users and Groups.
  4. Assign the affected user or their group to the application.
  5. Ask the user to attempt login again.

Fix 4: AADSTS750054 — incorrect Sign-on URL

  1. Open the Azure AD portal and navigate to Enterprise Applications.
  2. Select the 15Five application.
  3. Go to Single sign-on settings.
  4. Update the Sign-on URL to https://.15five.com.
  5. Save the change.

Fix 5: AADSTS650056 — mismatched Entity ID

  1. Open the Azure AD portal and navigate to Enterprise Applications.
  2. Select the 15Five application.
  3. Go to Single sign-on settings.
  4. Set the Identifier (Entity ID) to https://.15five.com/saml2/metadata/.
  5. Save the change.

Fix 6: Subdomain misconfiguration error

  1. Navigate to Company SettingsSAML Single Sign-On in 15Five.
  2. Review the subdomain field.
  3. Rewrite the subdomain using only lowercase letters and no spaces or special characters.
  4. Click Save.

Fix 7: ADFS — no user attributes passing to 15Five

  1. Open the ADFS management console.
  2. Navigate to the Relying Party Trust for 15Five.
  3. Open Edit Claim Rules.
  4. Confirm a rule exists to send the email address attribute.
  5. Confirm a rule exists to send the given name and surname attributes.
  6. Add any missing claim rules and save.

Fix 8: ADFS — Transform rule error

  1. Open the ADFS management console.
  2. Navigate to the Relying Party Trust for 15Five.
  3. Open Edit Claim Rules.
  4. Create a standard claim rule that sends the email address.
  5. Create a Transform rule that maps the email claim to NameID.
  6. Set the NameID format to urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  7. Save the rules in the Relying Party Trust modal.

What Resolution Looks Like

  • 403/422 errors: The user completes IdP authentication and lands on their 15Five home page without an error screen.
  • AADSTS errors: Azure AD redirects the user to 15Five and the session loads.
  • Subdomain error: The SSO login page loads and the user can proceed to authenticate.
  • ADFS attribute errors: User attributes (email, name) appear correctly on the user's 15Five profile after login.

If It Still Fails

Contact 15Five Support and include:

  • The exact error message or code
  • A screenshot of your IdP attribute mapping configuration
  • The raw SAML response (if available from your IdP's debug tools)
  • Your 15Five subdomain
  • The IdP in use (Azure AD, ADFS, Okta, OneLogin, other)

Not Covered Here

This article covers login errors after SSO is configured. For initial setup steps, see the related article below.

Related Articles

Set up SAML Single Sign-On (SSO) in 15Five Set up SCIM provisioning

Was this article helpful?

Sorry to hear that. Tell us what was missing →