If you are running into issues during or after SSO setup, this guide covers the most common problems and how to resolve them.

These are problems you may encounter while configuring SSO for the first time.

Your organization's domain needs to be verified before SSO can be activated. This is done during the setup portal process. If you see this message, return to the domain verification step in the portal and follow the instructions for adding a DNS TXT record. Domain verification can take a few minutes to propagate.

The initial setup portal link we provide expires 5 minutes after it is generated. This is a security measure. If your link has expired before you were able to click through, reach out to us and we will generate a new one.

Once you click the link and enter the portal, your session will remain active while you complete configuration. We recommend bookmarking the portal at that point so you can return to it later to make updates, enable directory sync, or adjust your SSO settings without needing a new link.

This typically means one or more required fields in the identity provider configuration are incorrect. Double-check that:

After you finish configuring your identity provider in the setup portal, let us know so we can verify the connection on our end.

If SSO has been configured but users are having trouble signing in, check the following.

Common causes:

This means the user authenticated successfully with your identity provider, but MarketScale could not match them to an existing account. Check that the email address in your identity provider matches the user's MarketScale email exactly. If you have directory sync enabled, ensure the user is assigned to the MarketScale application in your provider.

SSO does not automatically replace password login. Users need to use the SSO login option. If you want to enforce SSO-only access, this can be configured in your setup portal under your organization's WorkOS settings.

These issues relate to automatic user provisioning via SCIM. If you have not enabled directory sync, this section does not apply. For a full overview of how directory sync works, see Directory Sync (SCIM) with MarketScale.

Verify that:

Check that the user was removed or disabled in your identity provider and that a sync cycle has completed. Some providers (e.g., Azure AD) sync on a fixed interval (typically every 40 minutes). The user's session may also still be active until it expires.

Answers to the most common questions about MarketScale SSO.

Q: Which MarketScale plans include SSO?
A: SSO is available on Business and Enterprise plans.

Q: Can I use SSO with multiple identity providers?
A: MarketScale supports one identity provider per channel.

Q: What protocols are supported?
A: SAML 2.0 and OpenID Connect (OIDC).

Q: How long does setup typically take?
A: Most organizations complete setup in 1-2 hours, depending on familiarity with their identity provider.

Q: Can I test SSO before rolling it out to all users?
A: Yes. We recommend creating a test user in your identity provider, assigning them to the MarketScale application, and verifying they can log in via SSO before rolling out to your full team.

Q: What happens if our identity provider goes down?
A: If your identity provider is unavailable, users will not be able to authenticate via SSO. You can re-enable password login through your setup portal to restore access while the outage is resolved.

Q: Can we roll back to password login if SSO is not working?
A: Yes. You can re-enable password login or adjust your SSO configuration through the setup portal at any time.

If your issue is not covered above, let us know what you are experiencing and include any error messages you are seeing. For issues specific to your identity provider's configuration, your provider's support team may also be able to help.

Related: