Multipass Single Sign-On (SSO) Troubleshooting
Last Updated -
We have Multipass examples in 9 languages to help you troubleshoot sign-on issues. Compare the encryption logic in your script to any of these examples to ensure the correct order is in place. Run the PHP example to generate a Multipass string and perform a manual login. Here are the steps:
- Replace SUBDOMAIN with your account name and omit the Desk domain.
- Replace API_KEY with the generated key in the Desk admin.
- Place these at the bottom of the example to output the Multipass string.
- Run the example by browsing to it.
- Browse to: http://yoursubdomain.desk.com/customer/authentication/multipass/callback?multipass=MULTIPASS, replacing MULTIPASS with the string generated in Step 4.
Multipass Error Messages
The system log is where you find errors related to the Multipass Single Sign-On (SSO). The system log is accessible from the Desk admin.
Multipass Signature Verification Failed
This error message occurs when a Multipass Signature redirects the user to the Callback URL and the system can't verify the Signature. The issue can be resolved by correcting the Multipass or Site Key.
- Multipass Key
- The Multipass Key needs to be generated in the Desk admin on the Private Access settings page. If at anytime a new key is generated then all Multipass scripts in use must be updated to use the new key.
- Site Key
- The Site Key is your Desk account name which is the subdomain you choose when creating your Desk site. You must omit the '.desk.com' and the 'https://' from this variable in the Multipass script.
Multipass Token Decryption Failure
Occurs when AES decryption fails. Please ensure the encryption process follows these criteria:
Double XOR first block.
Pad using a block size of 16 bytes. The $iv can be anything you want, as long as it is 128 bits (16 bytes). It is also more secure to use a random IV.
Encrypt using AES128-cbc
Base64 encode the encrypted data
Convert encoded data to the URL safe variant
Multipass Token Has Expired
Occurs when a login attempt is made after the time has passed the expires setting in the Multipass hash. It is a security measure to prevent replaying a login attempt.
- If the user is coming from your application you should generate the Callback URL when the user clicks on the help link to navigate to the support center. This ensures the user doesn't attempt to authenticate after the expires key has become invalid.
- We use the (Time.now + 120).iso8601 Ruby function which produces a timestamp of 2016-01-04T16:46:27-05:00 which is the ISO 8601 standard.
- Verify that your server clock is correct. For example, if it’s off by 10 minutes and you've set your timeout to 5 mins, it would always be ‘expired.'
Multipass Fields Missing
Occurs when one or more of the required keys is left empty in the Multipass hash. The required keys are the uid, expires, customer_email, and customer_name as outlined in the Multipass SSO documentation.
Multipass Data Is Invalid
Occurs when an invalid value is passed into one of the keys in the Multipass hash:
- A unique string composed of alphanumeric characters. This is the unique identifier of the user in your system, such as their GUID or auto-incremented ID.
- Multipass expiration date in the ISO 8601 standard. This is for security purposes to expire the hash after a given period of time.
- Requires a valid email format.
- If you've gotten this far I think you can figure this one out ;-).