This page details some issues you may encounter with setting up and using SSO.

"Your e-mail address domain didn't match your organization's domain"

We use home realm discovery during login. After a successful login with your IdP the domain in the email claim must match the domain of the email address the login was initiated with. You may be able to configure your IdP to work around this.

Login with UPN

When you sign in to Redgate we give the email address you entered as a login hint to your identity provider. If you need to login to your identity provider with something other than your email address then your identity provider should allow you to change your login ID (e.g. to your UPN). At the time of writing Microsoft Entra's default is to require users to login with their UPN and does not allow the login ID to be changed from the email address. If your UPNs are an email-like format and the domain portion matches the domain(s) you have enabled SSO for, then a workaround is for users to enter their UPN instead of email address when signing in to Redgate.

If you are using Microsoft Entra the following documentation pages may help you with a workaround:

• Sign-in to Microsoft Entra ID with email as an alternate login ID
• Microsoft Entra UserPrincipalName population

Unable to log in to any account

If SSO is misconfigured on the Redgate side or on your identity provider, it is possible to get into a state where it is not possible to log in with any account. This can prevent fixing the problem, as it becomes impossible to log into the Portal to make changes to SSO.

The Portal SSO recovery flow can be used to disable SSO in this case. You will need to be able to modify the DNS records for the configured domain(s) to prove ownership by adding a TXT record. Once SSO is disabled, you will be able to log in again via username and password and can then reconfigure SSO correctly.