Troubleshooting
Common single sign-on symptoms, their likely causes and fixes, plus how to reach CHA support and emergency recovery.
Common sign-in symptoms
| Symptom | Likely cause | Fix |
|---|---|---|
| Sign-in rejected after the IdP authenticates the user | User hasn't been invited in Viewer (invite-only mode) | Add them via Admin → Users → Add User with their organizational email, or switch to JIT (see User provisioning) |
| Sign-in rejected for an invited user | Email domain not in the provider's allowed-domains list, or the invite email doesn't match their IdP email | Check Allowed email domains on the Identity & Provisioning page; confirm the emails match |
| Sign-in fails for everyone | Your IdP isn't sending the required email claim, or the app isn't assigned to the user in the IdP | Confirm the email claim is being sent (see Connect single sign-on) and check the app's user assignment in your IdP |
| Account linking breaks when a user is renamed | Name ID mapped to a mutable claim (email / username) | Set the Name ID to a stable internal identifier (Persistent) — see the Name ID note in Connect single sign-on |
| A signed-in user sees nothing / "no access" | No role assigned yet (deny-by-default) | Assign a role via Admin → Users (see Roles & permissions) |
| Names show blank or wrong | First/last name claims missing or misnamed | Confirm your IdP sends the user's first-name and last-name claims |
| Sign-in breaks after working for months | Your IdP rotated its signing certificate | Update the provider with fresh metadata via Upload XML |
Getting help
If you're stuck, contact CHA support at support@commhospital.com with the approximate time of the failed sign-in attempt and the user's email domain. We can trace it from our side and work with you to resolve it.
Keep PHI out of support requests
Don't include patient information or full email addresses you don't need to. The approximate time and the email domain are enough for us to trace a failed sign-in.
Emergency recovery
If your IdP goes down or an administrator is locked out while SSO-only is on, CHA staff can open a short, time-boxed, audited window that temporarily re-enables password sign-in. This is a staff-only control, not self-serve — contact CHA support at support@commhospital.com to request it.