Troubleshooting SSO Connection Issues
Identify and Resolve Common SAML SSO Errors
Last updated: Jul 9, 2025
Overview
This guide will help you troubleshoot the most common problems encountered when setting up or using SAML-based Single Sign-On (SSO) with Harvey.
Please follow the outlined steps to resolve your issue. If you continue to experience difficulties, contact your IT team or Harvey Support for further assistance.
Common Issues and Solutions
Ensure You're on the Correct Version of the App
Harvey has two versions of the application, one for US data processing and one for EU data processing. Using the incorrect version may result in login issues.
Below is a common error message users may see when attempting to log into Harvey through the wrong URL:
How to Resolve the Issue
Confirm users are logging in with the correct version of Harvey based on your workspace’s data processing location:
- US Data Processing: app.harvey.ai
- EU Data Processing: eu.app.harvey.ai
If you’re unsure which version applies to your workspace, please contact your Harvey workspace Admin for clarification.
IDP-Initiated Connections Not Supported
Users may encounter login failures when attempting to log in through an Identity Provider (IDP)-initiated connection.
An IDP-initiated connection occurs when users start the login process from your identity provider, such as your company’s login portal, instead of directly from the Harvey application.
Example: If a user logs in through your company’s portal and then tries to access Harvey, the login process might fail. This is because Harvey requires the login process to start directly from its own login page to trigger the SAML authentication correctly.
Below is a common error message users may see when attempting an IDP-initiated connection:
How to Resolve the Issue
- Ensure these attributes are set in your SSO configuration for Harvey (typically via Entra or Okta):
- Name ID: Primary Email / Preferred Email
- Email: Primary Email / Preferred Email
- Ensure users are logging in from the correct Harvey application URL:
- US Data Processing: app.harvey.ai
- EU Data Processing: eu.app.harvey.ai
Firewalls or VPNs Blocking URLs
Some firewall or VPN configurations may block essential URLs, causing the SAML SSO connection to fail or certain functionality to break.
Below is a common error message users may see when a Firewall or VPN is blocking access to Harvey functionality:
How to Resolve the Issue:
- Access Harvey from a different browser. Sometimes firewalls and VPN’s will interact with Harvey differently depending on the browser used to facilitate the connection.
- Clear the browser cache and cookies as this may resolve intermittent login issues related to cached data during the SSO process.
- Turning off VPNs or Firewalls may resolve your access issues.
- Ensure your network settings allowlist the following URLs to enable full functionality of the Harvey app:
- https://app.harvey.ai
- https://api.harvey.ai, wss://api.harvey.ai
- https://harvey-ai.us.auth0.com
- https://api.honeycomb.io
- https://unpkg.com
- https://assets.harvey.ai
- https://azure.app.harvey.ai
- https://azureprod.api.harvey.ai, wss://azureprod.api.harvey.ai
- https://azure.api.harvey.ai, wss://azure.api.harvey.ai
- https://azure.assets.harvey.ai
- https://*.blob.core.windows.net
- If you can’t allowlist with a wildcard, use the parent domain: blob.core.windows.net
- Port 443
User Not Assigned to the Correct AD Group
Users may experience access issues if they are not part of the Active Directory (AD) group configured for the Harvey application.
Below is a common error message users may see when not added to the AD group:
How to Resolve the Issue
Verify with your IT administrator that the user has been assigned to the appropriate AD group for Harvey access.
Email Address Mismatch in Identity Provider
The email address associated with the user’s profile in the Identity Provider (IDP) may differ from the one being used during login. This often occurs if the user has transitioned from a different firm or company.
Example: A user may have initially used the email susan@acme.com and later switched to susan@firm.com, but the IDP may still recognize the original email (susan@acme.com).
How to Resolve the Issue
- An IT administrator should verify the user’s email address in the IDP, ensuring the domain matches the one the user is entering during login. If there is a mismatch, confirm that the user is using the correct email domain.
- If necessary, Harvey Support can assist in adding additional email domains to your workspace.
Still Having Trouble?
If the previous troubleshooting steps do not resolve your issue, please reach out to Harvey Support with the following information to assist in diagnosing the problem:
- Any error messages or screenshots from your SSO login attempt.
- Logs from your Identity Provider (IDP), if available.
- Configuration details for your SAML setup, including the Assertion Consumer Service (ACS) URL and Entity ID.
Providing this information will help our team resolve your issue more quickly.