Troubleshooting Entra ID (Azure AD) SSO Integration – Users login fails
Applies to: Netop Remote Control Portal with SAML SSO via Microsoft Entra ID (formerly Azure AD) or ADFS
Symptom
Users who are members of an Entra ID group assigned to the Netop Portal do not appear in the corresponding group in the Netop Portal, and the group member counts differ between Entra ID and Netop. Affected users cannot log in via SSO and may receive an error code (for example, error 20012).
Example: an Entra ID group has 100 members, but the matching Netop Portal group shows only 60.
Before you start: how user provisioning works
The Netop Portal does not import or synchronize users from Entra ID in the background. A user’s SSO identity is created in the Netop Portal the first time they successfully log in, and they are added to the correct Netop group at that moment.
Key point: a count mismatch between an Entra ID group and the matching Netop group is normal for users who have never logged in. It only indicates a problem when users who try to log in fail to get in. Troubleshoot the failed login, not the “missing sync”. |
Step 1 – Get the exact error message
Ask an affected user (or reproduce yourself) and record:
- The exact error code and message shown (e.g. “Error 20012”).
- Whether the error appears before or after the user successfully authenticates with Entra ID.
If the error appears before Entra ID authentication completes, the problem is on the Entra ID side (app assignment, conditional access, etc.) – start with Step 2. If it appears after authentication, the SAML response reaching Netop is incomplete or malformed – continue with Steps 3–5.
Step 2 – Check app assignment in the Entra ID enterprise application
In the Entra admin center, open the enterprise application used for Netop Portal SSO and go to Users and groups. Verify that the affected users are entitled to use the application.
Nested groups are not resolved: group assignment goes down only one level. If a group assigned to the enterprise app contains another group, members of that nested group will not be able to log in – only direct members count. Assign users directly or flatten the group structure. |
Step 3 – Look up the error code
Error codes 20001–20015 relate to the SAML/Entra ID integration. Full list: Netop Portal Error Codes
Error code | Meaning | What to do |
20001, 20002, 20003, 20005, 20009, 20010 | The SAML message returned by Entra ID/ADFS is not in the expected format. | Re-check the integration setup against the ADFS and Azure AD Integration guide. |
20004 | The certificate used for the ADFS/Entra ID integration has expired. | Renew the signing certificate and update it in the Netop Portal configuration. |
20006 | A mandatory attribute is missing from the SAML response. | Check the mandatory fields listed in the integration guide. |
20007 | The domain identifier could not be retrieved. | Verify the claim rules and confirm the ID was replaced with your domain identifier. |
20011 | Missing username attribute. | Fill in the username attribute for the user in Entra ID. |
20012 | Missing email attribute. | Fill in the Email (mail) attribute for the user in Entra ID. Common with external/guest accounts – see Step 4. |
20013 | Missing first name attribute. | Fill in the first name (givenName) attribute for the user in Entra ID. |
20014 | The ADFS/Entra ID authentication method is inactive. | Activate it in the Netop Portal under Account > Configuration. |
20015 | Missing last name attribute. | Fill in the last name (surname) attribute for the user in Entra ID. |
Step 4 – Verify mandatory user attributes in Entra ID
The Netop Portal requires these attributes in the SAML response for every user:
- Username
- Email (the Entra ID mail attribute)
- First name (givenName)
- Last name (surname)
If any of these is empty for a user, login fails with error 20011, 20012, 20013 or 20015 respectively, and the user is never created in the Netop Portal.
Watch out for external/guest accounts: guest (B2B) accounts frequently have an empty mail attribute, which causes error 20012. Populate the Email field on those accounts in Entra ID. |
Tip: to troubleshoot quickly without involving end users, create a temporary test user in Entra ID, add it (directly) to the affected group, and reproduce the login yourself.
Step 5 – Capture and inspect the SAML response
If the attributes look correct but login still fails, capture the actual SAML response sent to Netop using the browser’s developer tools. (Procedure adapted from View a SAML response in your browser (AWS documentation).) In all browsers, first go to the Netop Portal login page so you can reproduce the failed login.
Google Chrome / Microsoft Edge
- Press F12 to open Developer Tools.
- Select the Network tab and enable Preserve log.
- Reproduce the failed SSO login.
- Find the POST request containing a SAML payload. Select it, open the Payload tab, and locate the SAMLResponse element. Its value is the Base64-encoded response.
Mozilla Firefox
- Press F12 to open Web Developer Tools.
- Select the Network tab, open options (gear icon) and enable Persist Logs.
- Reproduce the failed SSO login.
- Find the POST SAML request, open the Request tab, and locate the SAMLResponse value.
Apple Safari
- Enable the Develop menu: Preferences > Advanced > Show Develop menu in the menu bar, then choose Develop > Show Web Inspector.
- Select the Network tab and enable Preserve Log.
- Reproduce the failed SSO login.
- Find the POST SAML request, open the Headers tab, and under Request Data locate SAMLResponse. Its value is the Base64-encoded response.
Decode the SAML response
The SAML response may contain sensitive data – do not use an online Base64 decoder. Decode locally instead:
- Windows (PowerShell): [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("base64encodedtext"))
- macOS/Linux: echo "base64encodedtext" | base64 --decode
What to check in the decoded XML
- The saml:NameID value matches the authenticated user.
- All mandatory attributes (username, email, first name, last name) are present and non-empty – an empty email attribute confirms error 20012.
- The domain identifier claim is present and matches your Netop Portal configuration (error 20007 if not).
- The signing certificate is valid and not expired (error 20004).
Resolution checklist
- Populate any missing mandatory attributes (email, first name, last name, username) on the affected accounts in Entra ID – especially external/guest accounts.
- Make affected users direct members of a group assigned to the enterprise application (no nesting).
- Have the user log in again – their Netop identity is created on first successful login and they are added to the correct group automatically.
- Confirm the user now appears in the expected group in the Netop Portal.
Related articles
- Netop Portal Error Codes
- ADFS and Azure AD Integration (mandatory fields and claim rules)
- View a SAML response in your browser – AWS IAM User Guide
If there is any help needed, please contact us either using the Submit ticket button or via our support email address: support@netop.com
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article