Skip to content

Login & Access Issues

Use this diagnostic guide when users cannot sign in, lose access after password changes, encounter MFA failures, or receive permission errors after role updates. Work through symptoms in order — most login issues resolve at the identity or policy layer before requiring platform support.

#Before you begin

Collect the following from the affected user:

Information Why it matters
Tenant URL Confirms correct environment (prod vs. sandbox)
Username / email Identifies directory record
Exact error message Maps to known failure codes
Browser and device Detects cookie, extension, or mobile issues
Time of failure (with time zone) Correlates with maintenance or lockout windows
Recent changes Password reset, role change, MFA enrollment

#Symptom: Invalid credentials

#Diagnostic steps

  1. Confirm the user is on the correct tenant URL (not a stale bookmark).
  2. Verify Caps Lock and keyboard layout for password entry.
  3. Attempt Forgot Password and complete the reset flow.
  4. Tenant admin: open Administration > Users, locate the user, and check Status is Active.
  5. Review Failed sign-in attempts in audit logs for brute-force lockout.

#Resolution matrix

Observation Action
Account status Locked Admin unlocks user; user sets new password
Account status Disabled Re-enable user or confirm offboarding was intentional
Password reset email not received Check spam; verify email in user profile; test SMTP
Still failing after reset Clear browser cache; try incognito window
Error persists across devices Escalate — possible identity provider misconfiguration

#Symptom: MFA verification failed

#Diagnostic steps

  1. Confirm device clock is synchronized (TOTP codes are time-sensitive).
  2. User enters the current 6-digit code — wait for code rotation if rejected once.
  3. Admin verifies MFA is Required for the user's role in Security Policies.
  4. If device lost: admin resets MFA enrollment after identity verification.
  5. For SMS MFA: confirm mobile number in user profile and carrier delivery.

#Resolution matrix

Observation Action
"Invalid code" repeatedly Resync device time; re-enroll authenticator
New phone, old authenticator Admin resets MFA; user scans new QR code
SMS not delivered Switch to authenticator app; verify SMS gateway config
MFA loop after SSO Check IdP claim mapping; confirm SSO MFA policy alignment

#Symptom: SSO / federated login redirect loop

#Diagnostic steps

  1. Confirm SSO is enabled in Administration > Identity > SSO Configuration.
  2. Verify IdP metadata (entity ID, certificate expiry, redirect URLs).
  3. Test with a non-SSO break-glass admin account to isolate IdP vs. platform.
  4. Inspect browser network tab for 401/403 on callback URL.
  5. Compare IdP group claims to EGKits role mappings.

#Resolution matrix

Observation Action
Certificate expired Upload renewed IdP certificate
Redirect URI mismatch Update allowed callback URLs in IdP and EGKits
User provisioned but no roles Map IdP groups to EGKits roles
Loop only for one user Check IdP account linking / duplicate emails

#Symptom: Signed in but missing menus or "Access denied"

#Diagnostic steps

  1. Confirm user is assigned at least one Role with module permissions.
  2. Verify required Module is enabled at tenant level.
  3. Check Branch / site scope — user may lack access to current branch context.
  4. Review recent role changes in Audit Trail.
  5. User signs out and back in to refresh permission cache.

#Resolution matrix

Observation Action
Module not in Apps menu Enable module; assign module view permission
Can view but not create Add create/approve permission to role
Branch-restricted data empty Assign user to correct branch or grant cross-branch access
Worked yesterday, not today Check if admin revoked role or module was disabled

#Symptom: Session expired or frequent logouts

#Diagnostic steps

  1. Review Session timeout in Administration > Security Policies.
  2. Check for multiple tabs on different tenants causing token conflict.
  3. Verify corporate proxy or VPN is not stripping cookies.
  4. Confirm browser allows third-party cookies if using embedded iframe flows.

#Resolution matrix

Observation Action
Timeout after fixed idle period Expected behavior — adjust policy if business requires
Immediate logout on navigation Clear cookies; disable conflicting browser extensions
Mobile app session drops Update app; confirm background refresh token policy

#Platform maintenance and outages

Indicator User action
Maintenance banner on sign-in page Wait for window to complete; follow status page
503 / service unavailable Retry after 5 minutes; contact support if prolonged
Regional DNS failure Verify status with IT; try alternate network

#Escalation checklist

When opening a support ticket, include:

  1. Tenant URL and affected username (never send passwords).
  2. Screenshot or exact text of error message.
  3. Timestamp with time zone.
  4. Steps already attempted from this guide.
  5. Audit trail correlation ID if displayed.

Reconnecting to the server…

Please wait, or reload the page.