This consolidated document summarizes the customer‑reported issues related to setting up Active Directory (AD) with Prolaborate. The goal is to help support teams and automated systems (e.g., Zoho Desk) identify known problems and guide customers toward the correct solution.
1. “Invalid credentials” error when logging in with an AD user
Description
A common issue occurs when users try to sign in to Prolaborate with their AD account and receive an “Invalid credentials” error, even though the account exists. Two scenarios are described in the support tickets:
Login fails when the username includes the email domain – Users in a domain (e.g., @sandia.gov) see an invalid‑credentials error when entering their full email address but are able to log in if they omit the domain. The root cause is that Prolaborate uses the username field from AD, not the email address. Adding the domain suffix to the username attribute in AD allows users to log in using their email.
Login fails even with the correct credentials – In other cases the user enters their correct User Logon Name and password but still sees “Invalid credentials.” This is often caused by an older bug where a user is a member of multiple AD groups with identical names (for example, several groups called Administrator). Prolaborate versions prior to 5.4 do not handle this correctly. If information level logs show the authentication failure, upgrading to version 5.4 or later resolves the issue.
Guidance
Instruct users to enter their AD User Logon Name (found in AD user properties) in the Email/Username field and use their AD password.
If users need to log in using the domain (e.g., @sandia.gov), update the username attribute in Active Directory to include the suffix.
If users still receive an error, request their Prolaborate version and an information‑level log capturing the issue. For versions older than 5.4, the problem may be a known bug; recommend upgrading to the latest version.
2. Cannot delete obsolete Active Directory profiles
During AD setup, administrators sometimes create test credentials that later become invalid. Prolaborate does not currently provide a delete option for AD configurations. Administrators can edit the configuration or change the server, but obsolete profiles remain. If removal is required, support must run a SQL query directly against the database. Ask the customer for their database type and request the appropriate script from the product team.
3. Updating the expiry date of the IDP certificate in Azure AD
Summary
When using SAML Single Sign‑On (SSO), Prolaborate relies on the identity provider’s (IDP) signing certificate. If the certificate is about to expire, update it in Azure AD and upload the new certificate to Prolaborate to avoid authentication failures. The steps below combine the instructions from the official troubleshooting guide with illustrative screenshots.
Azure AD configuration
In Azure AD, navigate to Enterprise Applications → your Prolaborate application → Single sign‑on → SAML certificates. Click New Certificate and set the desired expiry date. Then click Save.
After saving, make the new certificate active. Select the certificate and choose Make Certificate Active.
Once the certificate is active, download it (e.g., Base64) from the SAML certificates pane.
Prolaborate configuration
In Prolaborate, go to Portal Settings → SAML Single Sign‑On.
Under Identity Provider (IDP) Configuration, upload the certificate you downloaded from Azure AD.
Click Save, then test the connection by logging in through SSO in a private or incognito browser session. If authentication fails, contact support and provide the certificate.
4. “Permission Denied” error when using Azure AD SSO
Description
Some users receive a “Permission Denied” error after successfully authenticating via Azure AD SSO. Authentication succeeds but authorization fails because the SAML group claim isn’t correctly configured, the user is not a member of the expected group, or the group isn’t linked to the appropriate Access Control Profile in Prolaborate. Incorrectly mapping the group name instead of the Object ID in Azure AD can also trigger this error.
Troubleshooting and remediation
4.1 Configure the group claim
In the Prolaborate portal, navigate to SAML Single Sign‑On → Attribute Mapping.
Add a Group claim and set its value to http://schemas.microsoft.com/ws/2008/06/identity/claims/groups. This instructs Prolaborate to read the Azure AD group claim from the SAML assertion.
4.2 Ensure the user is a member of the correct SAML group
In Azure AD, open the Users and groups page under your Prolaborate enterprise application and click the user’s display name.
Under Group memberships, verify whether the user belongs to the expected security group. If the user is not part of the group, click Add Memberships.
In the Groups tab, choose the correct security group and click Select to assign it to the user. If the required group doesn’t exist, create a new group as described below.
To create a new group, go to Azure AD → Groups → All groups and click New group. After creating the group, return to the user’s Groups tab and add the membership.
4.3 Map the group correctly in Prolaborate
When Prolaborate uses SAML group‑based restrictions, each SAML group must be associated with an Access Control Profile. Go to Menu → SAML Single Sign On in Prolaborate.
In the Access Control Profile section, choose the appropriate profile for the group and ensure that the SAML Group field contains the Object ID of the Azure group, not the group name. If necessary, click Add to map additional groups and save the configuration.
Summary of causes and solutions
Missing group claim – Add a Group claim in the SAML attribute mapping.
User not in the expected group – Check group memberships and assign users to the correct security group.
No group exists – Create a new security group in Azure AD and assign users.
Group not linked to an access profile – Map the group (using its Object ID) to an Access Control Profile in Prolaborate.
5. Known issue – AD user selection checkbox not greyed out
In Prolaborate versions 5.0–5.1, the checkbox used to select AD users in the repository does not automatically grey out once users have been added. The issue is resolved in version 5.3 and later. To fix this problem, upgrade to the latest version using the installer provided by support.
6. Known issue – “Unable to save changes” error when adding AD users
In versions 5.0–5.2, clicking Back after adding an AD user in the repository can trigger an “Unable to save changes” error. The bug (ID Prol‑Bug3029) was resolved in version 5.3. Upgrading to version 5.3 or later eliminates this error.
7. Known issue – AD users unable to log in after switching licenses
After changing the license type from Large Teams to Growing Teams, some customers reported that AD users can no longer log in. This happens because the Active Directory page becomes inaccessible in the Growing Teams licence, preventing administrators from updating the server details on the AD SSO page. Existing users may still log in using cached credentials, but no new users can be authenticated. To resolve the issue, customers must purchase the Active Directory Add‑on and update the server details on the AD SSO page.
8. Notes on consistency and potential conflicts
The documents largely complement one another and focus on distinct problem areas (authentication, certificate management, group mappings, and known bugs). There are no direct contradictions; however, two related points should be considered:
Both the invalid‑credential FAQ and the published login FAQ emphasise that login depends on the username field in AD. Updating this field to include the email domain allows users to sign in using their full email address.
The published FAQ also identifies a bug where users who are members of multiple identically named groups experience login failures, which was fixed in version 5.4. This is not a contradiction but an additional edge case to be aware of.
This consolidated guide can be integrated into a knowledge base or automated response system to assist customers in troubleshooting Active Directory and SAML SSO issues with Prolaborate.