Common sign-in issues

User account has been locked from too many failed sign-in attempts.

Cause: The account you are signing into is configured for password authentication and has been locked due to repeated incorrect sign-in attempts.

Remediation: Contact your runZero administrator and have them follow these steps:

1. In the runZero console, visit the Team page
2. Select the locked account
3. Use the “Unlock user accounts” option in the “Reset” dropdown menu.

If contacting an administrator is not an option, please reach out to support@runzero.com.

Certificate information for single sign-on has expired and must be updated in order to sign in

Cause: The SAML certificate configured for the target runZero tenant has expired.

Remediation:

1. Acquire a new valid certificate from your identity provider (for example, Okta, Google Workspace, etc)
2. Sign into runZero using a superuser account that is configured for link-based or password-based authentication
3. Paste the new certificate contents into the “Certificate” field of the Identity provider settings page

• The “Certificate” field can be found by navigating to the Team page in the product, then clicking the “SSO settings” button in the page header.

If you are the administrator for your account and are unable to sign in at all, please contact support@runzero.com and provide the required certificate for further assistance.

Invalid SAML response

Cause: The data that your identity provider sent to the runZero console was in an invalid format.

Remediation: Review the SAML configuration in your identity provider (for example, Okta, Google Workspace, etc)

The information provided by your identity provider was incomplete or not valid.

Cause: The data that your identity provider sent to the runZero console did not include one or more required assertion elements. Required elements are Subject and NameID.

Remediation: Review the configuration of your identity provider to ensure it’s configured to send a valid Subject and NameID to the runZero console.

The email address {email address} is already in-use by an existing user account.

Cause: The email address provided by the SSO identity provider already exists in a different tenant in the runZero console.

Remediation: Change the email address of the existing runZero account or delete the existing runZero account. There are a few possible ways to fix this:

• Sign into the runZero console with the email address mentioned in the error message and change the associated email address to something different.
• Contact the administrators of the tenant where your email address is registered and request that they delete your account from the Team page.
• Contact runZero support via email at support@runzero.com and request that they delete your existing account.

Once the email address is no longer in use, you will be able to sign in with SSO.

The identity provider has provided an invalid NameID

Cause: Your SSO identity provider (for example, Okta, Google Workspace, etc) has provided the runZero console with a NameID attribute that is not formatted like an email address. The runZero console uses this attribute as your email address in the product.

Remediation: Review the configuration of your identity provider and ensure it is configured to provide an email address in the NameID attribute, or contact your administrators to do so.