Advocacy: FAQ about SAML and SCIM

Please see below for answers to frequently asked questions regarding the SAML or SCIM integration. If you have a question that isn't presented here, please get in touch with Haiilo Support , and we'd be happy to help.

Users are added to a group that they are not allowed to select during onboarding. Why?

Note that this only applies to company domains using SAML SSO just-in-time provisioning and self-registration

When a user joins Haiilo with SAML SSO just-in-time provisioning, they are added to the platform immediately and will be visible in the Users list. This also means that the user must be placed in a group by our system to wait until they can choose their group. For this, our system uses the default group. The default group in Haiilo is always the group that was created first in your company domain. 

The user is added to the default group until the user gets to the 'Select group' onboarding page, where they select which group they should be located in:


After the user selects their group, they are automatically moved from the default group to their selected group. In the example below, the user joins and is first added to the default group, called 'Global.' During onboarding, they see the 'Select group' page and select 'AMER.' They are moved automatically by our system to the 'AMER' group.


If a user remains in the default group for a long time, they have not completed onboarding and selected their group.

Does Haiilo support multiple IdPs?

Haiilo supports dual IdPs meaning you can have two different SAML configurations and give your users the option to choose which one to log in with. The users select the 'Login with Single Sign On' and are then presented with the screen 'Select your organisation' with two buttons:


You decide what text is displayed on the buttons and which button leads to which IdP configuration.

To set up dual IdP SAML configurations for Haiilo, please:

  1. Set up and enable the first SAML configuration (the one for the top button) in your Haiilo domain as per the regular SAML instructions
  2. Prepare the second SAML configuration (the one for the bottom button) per the SAML instructions and test that it works from your IdP. Download the SAML metadata for this configuration.
  3. Decide internally which button texts you want to use. You can use something your users will understand, but the names should be, at max., around 20 characters.
  4. Reach out to your dedicated Customer Success Manager from Haiilo with the metadata from the second SAML configuration and names for the buttons. Please make it clear which text should point to which IdP.
  5. Our team will enable the dual IdP for your domain. Please keep in mind that depending on their workload, it can take a few weeks to implement, so please reach out well in advance.
  6. You will be informed when the dual IdP configurations have been enabled, and your users can start accessing via these. Until the second IdP configuration is set up, users can use the first configuration, as that was already enabled by you earlier in Step 1.

Where can I find the EntityID and ACS (Assertion Consumer Service) URL?

You can find the EntityId and ACS URL in the metadata file you download from your Haiilo domain in the 'Single Sign On'-settings. 


Please note that this setting item is only visible in your Haiilo domain if enabled. Please get in touch with your dedicated Customer Success specialist from Haiilo for more information and to enable the feature. 

Alternatively, you can obtain the EntityId and ACS URL from your Haiilo domain URL, as these follow the same structure:

  • EntityId:
  • ACS URL: 

I get an "Oops" error when testing my SAML integration. Why?

There should be an attribute with the "EmailAddress" name in the SAML Assertion. Haiilo needs this attribute in order to identify the user that is logging in. "EmailAddress" is the exact attribute name which is expected: it is case-sensitive and should not have any prefixes inside the name. 

Azure tends to add the 'http://schemas...' prefix to all assertion attributes by default but it should not be in the "EmailAddress" attribute. It should be displayed like this:


Any prefixes for “EmailAddress” and also other mandatory attributes must be removed on the IdP's configuration in order to successfully integrate with Haiilo. 

An error that might indicate that email attribute is wrongly configured or missing is this one: 


If the "EmailAddress" attribute is correct and you still receive an error, please contact Haiilo Support and we'd be happy to help.

I get a "Group does not exist" error when adding users via SCIM. Why?

In order to add users to a group on Haiilo, you must map to the country attribute. The field you use from your IdP has to contain a value that matches a group on Haiilo. The group must exist before any user can be assigned to it and the name must match exactly, case sensitive. If the group does not exist or the name does not match when a sync runs, this error (400.76) will occur.


To resolve this, create a group on Haiilo with the corresponding name and let the SCIM sync again; edit the existing groups on Haiilo to match the value; change the IdP field value to match the group name on Haiilo.

I get a "No matching user found" error when adding users via SCIM. Why?

If you have the 'Create' action disabled and are adding users to the IdP group that governs access to Haiilo, SCIM will attempt to sync the users on Haiilo and when it doesn't find them it will return an error. Because the 'Create' action is disabled users aren't being added to Haiilo and therefore cannot be synced.


We do not recommend using SCIM without the 'Create' action as it causes errors and depending on the IdP, the sync will not be retried once the user later joins Haiilo. This means they are never synced with Haiilo and will not be goverened by SCIM. When they are deprovisioned in the IdP they will not be deprovisioned from Haiilo as they have never been synced with SCIM.

In order for the users that have been skipped by SCIM, because they do not yet exist in Haiilo at the time they are assigned to the application, to be synced later, the sync would need to be manually retried in the IdP by your company's IT department at certain intervals.

I am testing the SAML Integration and being asked to set a password. Why?

The password configuration step (and usage of password in general) is disabled for the domains where SAML SSO is enabled. When testing the SAML integration, SAML SSO it is not yet enabled on the domain and therefore asking to set a password is the standard behavior. Once SAML SSO is enabled on your domain, users would not see this step anymore


Our SAML integration is working but no new users have been added to Haiilo despite being added in our IdP. Why is that?

Users are not automatically added to Haiilo once users are correctly configured on your IdP, instead their accounts are created once they log in to Haiilo for the first time. As long as users are correctly configured in your IdP, they will be able to access Haiilo by clicking the 'Login with Single Sign On'-button on your company Haiilo domain and create an account this way. When a user logs in the first time, you will then be able to see them in your Users-list in Haiilo. Only users added to your IdP group will be able to access Haiilo. 

If you want user accounts to be created in Haiilo automatically when you assign users to the IdP group, you can use SCIM provisioning. See here for more information.

Was this article helpful?