We'll begin by addressing some popular questions related to edge-cases around our existing architecture.

Domain Verification

1. Can I verify the same domain on multiple organizations?

   1. This cannot be performed natively at this time. Please reach out to your Account Director to discuss your use-case and potential implementations.

2. Can I verify my primary domain and have that propagate to its subdomains?

   1. Currently, no. You must verify each subdomain as its own unique record.

3. My company's security policy doesn't allow us to use a TXT record for our primary domain, so we're unable to verify our domain.

   1. In outstanding cases, we can manually verify domains on your behalf. Please reach out to your Account Director to discuss your available options.

4. Does domain verification expire and have to be re-upped?

   1. Currently, no. You will only see "Expired" if you began the process but never completed verification. We allow for 7-days to complete the verification process once started.

SCIM

1. Review our existing ChatGPT and API Platform SCIM FAQ’s

SSO and IdP

1. I was originally a ChatGPT/Platform only customer, and I don’t know how to access the other product to control its SSO settings.

2. Please reach out to your Account Director, so they can ensure the respective organization/workspace is properly set up and that you are added to it as an admin.

3. I’m an admin, but I don’t see the Identity page on my Platform account.

4. The Identity page appears to Platform admins if the Enterprise Platform account has a “Custom” or “Unlimited” billing plan. This can be confirmed in the Billing Settings of your API account, and you can contact your Account Director for further assistance.

5. Can I configure multiple IdP’s in a single workspace?

6. No, at this time, we only support a single IdP per organization/workspace.

7. Does “Enforce SSO” mean that anyone invited into my workspace will need to use SSO?

8. No. Enforce SSO applies only when the user is accessing that ChatGPT workspace, SSO is enforced for it, and the login email matches a verified domain. Users signing in with unverified-domain emails can continue with non-SSO methods (such as password or social login), which supports guest access.

Troubleshooting

In this section, we'll address general behavior you may run into along with specific error messages. If you were previously able to authenticate successfully, and have only just begun to see issues, please review our Status Page to ensure there is not an active incident.

General Issues

1. I'm not getting a password reset email

2. If you originally used Social login via Google, this is expected. You should login with Google/request a password change on your Google account. If this isn’t the case, please reach out to Support for assistance.

3. I belong to multiple workspaces, but I don't see the option to switch between them while I'm logged into ChatGPT

4. If you’re missing a workspace you know you belong to, log out of ChatGPT and sign in again. If that workspace requires SSO, choose its SSO sign-in option. If it does not require SSO, continue with the standard login flow and sign in with a non-SSO method (for example, password or social login).

5. My users are being asked for their name and birthday when signing up.

6. This occurs if we don't see valid name attributes in the SAMLResponse from your IdP. Please review your attribute mapping to ensure it meets our criteria, and that you aren't encrypting the attributes.

7. My users' emails are being displayed for their names

8. Similar to above, this is likely occurring because we're not seeing valid name attributes in the SAMLResponse from your IdP. Please review your attribute mapping to ensure it meets our criteria, and that you aren't encrypting the attributes.

Specific Error Messages

1. Your Identity Provider signed you in as {email}, but that email has not been added to your ChatGPT workspace.

2. This error occurs when you use SSO to access ChatGPT but the SSO configuration tries to sign you into an account which isn't invited to the ChatGPT workspace where your SSO is configured. If the email address is the desired email address, then your ChatGPT workspace admin needs to invite you to the workspace. If the email address is incorrect, then your IT Admin needs to modify the SSO configuration within your IdP. If the email is correct, but you need to access a different, pre-existing email address, then your old account will need to have its email address changed. For additional guidance with this issue, please have your administrator reach out to support@openai.com

3. “You tried signing in as user@example.com using a password, which is not the authentication method you used during sign up. Try again using the authentication method you used during sign up. (error=identity_provider_mismatch)"

4. This error occurs when the sign-in method you just used does not match the method originally used for that account. Try again with your original method, such as password, a temporary code, Google, Microsoft, Apple, or your organization's SSO.

5. If you have lost access to your original means of authentication or need to password-authenticate into an additional workspace (e.g. you initially joined an Enterprise workspace via SSO, but are no longer a member or were invited to a second workspace), please reach out to Support for further assistance.

6. “require_sso_login”

7. This error occurs when a user has signed in with a Social login method (Google/Microsoft/Apple) but “Enforce SSO” is enabled on that workspace. Try logging out, and logging back in using SSO (i.e. type in your email address, get redirected to your IdP, and authenticate there)

8. “Something went wrong while getting your SSO info”

9. This error message can be misleading, as it can occur for non-SSO users while trying to determine whether or not they belong to an Enterprise workspace.

10. The message typically indicates that something on your network is blocking our endpoint check.

11. SSO users may be able to get around this by using the Tile URL; however, we would recommend inspecting your network tab to determine why our “useGetSSOConnection” call is blocked on your network.

12. Please work with your IT team to verify that you do not have a VPN/Proxy/Extension that might be blocking traffic to our endpoints, and that you have allowlisted all of our domains.

13. “No accessible workspaces”

14. In the event that the email address returned by your IdP has changed (e.g. your IT team updated the mapping, your email changed, etc.), it’s possible that your corresponding OpenAI remains tied to the previous SAML profile. Because we see a new email being passed back to us, we run into issues reconciling it with your original user. Please reach out to Support for assistance in this scenario.

15. “Invalid thumbprint (configured …”

16. This error message almost always indicates a mismatch in the X.509 certificate you shared with us vs. what we’re seeing in the returned SAML response from your IdP. Please double-check you’re using the correct cert, and reupload it in via the Identity page.

17. "Oops! Please use your organization's SSO to access your account."

18. This error occurs when you belong to a workspace or organization where SSO has been enforced, but you may have attempted to login through a different method (e.g. Google/Microsoft/Apple or username and password). Please type your email into the login page and select the SSO option.

19. If you're redirected to your IdP, and still receive this message after authentication, please confirm with your IT team that you are a member of the IdP access group.

20. "the connection is not enabled"

21. This error typically indicates that you are accessing a Tile URL that is not active for your connection. Recall that your ChatGPT and API Platform share the same underlying org-id, and this results in only one of the two Tile URL's being active at a time. By default, we activate the ChatGPT Tile URL -- if you would like to switch this to the Platform Tile URL, please contact Support.

22. If you are only encountering this error on your mobile application, while you're successfully able to login through web/desktop, please ensure you've updated your iOS or Android application to the latest version.

23. "This sts.windows.net page can't be found"

24. This error might be because of an incorrect schema mapping during the SSO set-up or that an incorrect SSO URL was entered for the SSO sign-in URL in the configuration. You will need to correct this URL. The URL can usually be found in the SSO settings of your Identity Provider.