Skip to content
  • There are no suggestions because the search field is empty.

How do I troubleshoot SSO with Microsoft Entra ID?

This guide covers the most common reasons SSO fails after configuration, and how to diagnose and resolve each one.

SSO redirects to the standard username/password login

The user clicks sign in via SSO, Entra ID authenticates successfully, but they are still redirected to the Security Center credential login screen.

Likely causes:

1. The user account in Security Center is not set to use SSO

Each user must be individually enabled for SSO in Security Center. To check:

  • Go to Settings > Users in Security Center.
  • Open the user's profile.
  • Confirm that SSO is enabled for that user.

If SSO is not enabled on the user account, we will fall back to credential login regardless of the IdP response.

2. The SAML Entity ID or Reply URL is misconfigured in Entra

The correct values to use in Entra's Basic SAML Configuration are:

Field Value
Identifier (Entity ID) https://sc.holmsecurity.com/sso/metadata/
Reply URL (ACS URL) https://sc.holmsecurity.com/sso/callback/

 

On-Prem installations: Replace sc.holmsecurity.com with your own Security Center URL.

Even a single trailing character difference (e.g., missing trailing slash) can cause the SAML flow to fail silently.

3. The SAML response from Entra is not being accepted by Security Center

Entra ID may report a successful authentication in its own logs even if the SAML assertion Holm receives is malformed or missing required attributes. To inspect what is actually being sent:

  1. Install the SAML Tracer browser extension.
  2. Initiate an SSO login.
  3. Review the SAML response — confirm the NameID attribute is present and formatted as an email address.

4. Multiple tenants / Security Centers

If you manage more than one tenant or Security Center, each one requires its own SSO configuration in Entra ID. SSO settings are not shared between Security Centers. Create a separate Enterprise Application in Entra for each Security Center and configure the Entity ID and Reply URL accordingly.

"No attempts visible" in Entra ID sign-in logs

If the Entra ID sign-in logs show no activity after an attempted login, this means the request is not reaching Entra at all.

Check:

  • Are you navigating to your custom SSO login URL? The standard sc.holmsecurity.com/#/auth/login link uses credential login. Your SSO entry point will be a custom URL provided during SSO setup.
  • Is the Sign On URL configured in Entra pointing to the correct Holm SSO endpoint?

  • Is the SAML Signing Certificate option set to Sign SAML response and assertion?

SSO worked before but has stopped working

Common triggers for SSO breaking after it was previously working:

  • SSL certificate updated on an on-prem Core Server — After updating the certificate, the SSO trust between the Core Server and Entra may need to be re-established. Re-upload the new certificate in the Holm admin portal and verify the Entra app's certificate is still valid.
  • Entra ID password change — In some configurations, credential changes can affect service accounts linked to the SSO app. Verify the Enterprise Application's credentials in Entra are still valid.
  • Security Center user account modified — If the SSO-enabled flag on the user was inadvertently toggled, SSO will stop working for that user. Check the user profile in Settings > Users.

"You'll be logged out soon" loop (On-Prem)

If clicking the Holm app in "My Applications" produces a brief redirect then shows "You'll be logged out soon…" followed by the credential prompt:

  • This typically means Holm received the SAML assertion but could not create a valid session. Check that the NameID in the SAML response matches the email address of the user registered in Security Center.
  • Confirm no session cookie conflicts exist by trying in a private/incognito browser window.
  • On-prem only: Confirm the Core Server's time is synchronized (NTP). A clock skew of more than a few minutes can cause SAML assertions to be rejected.

Email links from Security Center redirect to credential login, not SSO

This is expected behavior. Notification emails (e.g., remediation ticket links) contain direct links to sc.holmsecurity.com which use the standard login flow. They do not route through your custom SSO URL.

Workaround: Users should first log in via your SSO URL, and then navigate to the link from the email. Once authenticated, the link will open correctly without requiring a second login.

Limitation
There is currently no configuration option to embed your custom SSO URL in email notifications.