Skip to main content
All CollectionsSSO, SCIM, and User Management
Authentication Troubleshooting & FAQ's
Authentication Troubleshooting & FAQ's

This document covers frequently asked questions/troubleshooting related to our authentication layer: SSO, SCIM, and Domain Verification

Updated over a week ago

FAQ

We'll begin by addressing some popular questions related to edge-cases around our existing architecture.

Domain Verification

  1. Can I verify the same domain on multiple organizations?

    1. This cannot be performed natively at this time. Please reach out to your Account Director to discuss your use-case and potential implementations.

  2. Can I verify my primary domain and have that propagate to its subdomains?

    1. Currently, no. You must verify each subdomain as its own unique record.

  3. My company’s security policy doesn’t allow us to use a TXT record for our primary domain, so we’re unable to verify our domain.

    1. In outstanding cases, we can manually verify domains on your behalf. Please reach out to your Account Director to discuss your available options.

  4. Does domain verification expire and have to be re-upped?

    1. Currently, no. You will only see “Expired” if you began the process but never completed verification. We allow for 7-days to complete the verification process once started.

SCIM

  1. Review our existing ChatGPT and API Platform SCIM FAQ’s

SSO and IdP

  1. I was originally a ChatGPT/Platform only customer, and I don’t know how to access the other product to control its SSO settings.

    1. Please reach out to your Account Director, so they can ensure the respective organization/workspace is properly set up and that you are added to it as an admin.

  2. I’m an admin, but I don’t see the Identity page on my Platform account.

    1. The Identity page appears to Platform admins if the Enterprise Platform account has a “Custom” or “Unlimited” billing plan. This can be confirmed in the Billing Settings of your API account, and you can contact your Account Director for further assistance.

  3. Can I configure multiple IdP’s in a single workspace?

    1. No, at this time, we only support a single IdP per organization/workspace.

  4. Does “Enforce SSO” mean that anyone invited into my workspace will need to use SSO?

    1. No, enforcing SSO only applies to users that are part of the ChatGPT workspace AND that are logging in with an email associated with a verified domain. Users logging in with a non-verified domain can still authenticate with password or Social login, allowing you to support guest users if desired.

Troubleshooting

In this section, we'll address general behavior you may run into along with specific error messages. If you were previously able to authenticate successfully, and have only just begun to see issues, please review our Status Page to ensure there is not an active incident.

General Issues

  1. I'm not getting a password reset email

    1. If you originally used Social login via Google, this is expected. You should login with Google/request a password change on your Google account. If this isn’t the case, please reach out to Support for assistance.

  2. I belong to multiple workspaces, but I don't see the option to switch between them while I'm logged into ChatGPT

    1. If, while logged in, you don't see a specific workspace you know you're a member of, it may help to forcibly access it. To do this, log out of ChatGPT, then go through the login flow once more. If the missing workspace is SSO enabled, select its corresponding SSO button int he workspace picker. Otherwise, use the "Continue with Password" button to authenticate into it.

  3. My users are being asked for their name and birthday when signing up.

    1. This occurs if we don't see valid name attributes in the SAMLResponse from your IdP. Please review your attribute mapping to ensure it meets our criteria, and that you aren't encrypting the attributes.

  4. My users' emails are being displayed for their names

    1. Similar to above, this is likely occurring because we're not seeing valid name attributes in the SAMLResponse from your IdP. Please review your attribute mapping to ensure it meets our criteria, and that you aren't encrypting the attributes.

Specific Error Messages

  1. “You tried signing in as user@example.com using a password, which is not the authentication method you used during sign up. Try again using the authentication method you used during sign up. (error=identity_provider_mismatch)"

    1. This error typically occurs if you attempted to login with a password when your original signup method was through a Social login (Google/Microsoft/Apple). Please try logging in with the correct Social login instead.

  2. “require_sso_login”

    1. This error occurs when a user has signed in with a Social login method (Google/Microsoft/Apple) but “Enforce SSO” is enabled on that workspace. Try logging out, and logging back in using SSO (i.e. type in your email address, get redirected to your IdP, and authenticate there)

  3. “Something went wrong while getting your SSO info”

    1. This error message can be misleading, as it can occur for non-SSO users while trying to determine whether or not they belong to an Enterprise workspace.

    2. The message typically indicates that something on your network is blocking our endpoint check.

      1. SSO users may be able to get around this by using the Tile URL; however, we would recommend inspecting your network tab to determine why our “useGetSSOConnection” call is blocked on your network.

    3. Please work with your IT team to verify that you do not have a VPN/Proxy/Extension that might be blocking traffic to our endpoints, and that you have allowlisted all of our domains.

  4. “No accessible workspaces”

    1. In the event that the email address returned by your IdP has changed (e.g. your IT team updated the mapping, your email changed, etc.), it’s possible that your corresponding OpenAI remains tied to the previous SAML profile. Because we see a new email being passed back to us, we run into issues reconciling it with your original user. Please reach out to Support for assistance in this scenario.

  5. “Invalid thumbprint (configured …”

    1. This error message almost always indicates a mismatch in the X.509 certificate you shared with us vs. what we’re seeing in the returned SAML response from your IdP. Please double-check you’re using the correct cert, and reupload it in via the Identity page.

  6. "the connection is not enabled"

    1. This error typically indicates that you are accessing a Tile URL that is not active for your connection. Recall that your ChatGPT and API Platform share the same underlying org-id, and this results in only one of the two Tile URL's being active at a time. By default, we activate the ChatGPT Tile URL -- if you would like to switch this to the Platform Tile URL, please contact Support.

Did this answer your question?