Login & Access Issues
Use this diagnostic guide when users cannot sign in, lose access after password changes, encounter MFA failures, or receive permission errors after role updates. Work through symptoms in order — most login issues resolve at the identity or policy layer before requiring platform support.
#Before you begin
Collect the following from the affected user:
| Information |
Why it matters |
| Tenant URL |
Confirms correct environment (prod vs. sandbox) |
| Username / email |
Identifies directory record |
| Exact error message |
Maps to known failure codes |
| Browser and device |
Detects cookie, extension, or mobile issues |
| Time of failure (with time zone) |
Correlates with maintenance or lockout windows |
| Recent changes |
Password reset, role change, MFA enrollment |
#Symptom: Invalid credentials
#Diagnostic steps
- Confirm the user is on the correct tenant URL (not a stale bookmark).
- Verify Caps Lock and keyboard layout for password entry.
- Attempt Forgot Password and complete the reset flow.
- Tenant admin: open Administration > Users, locate the user, and check Status is Active.
- Review Failed sign-in attempts in audit logs for brute-force lockout.
#Resolution matrix
| Observation |
Action |
| Account status Locked |
Admin unlocks user; user sets new password |
| Account status Disabled |
Re-enable user or confirm offboarding was intentional |
| Password reset email not received |
Check spam; verify email in user profile; test SMTP |
| Still failing after reset |
Clear browser cache; try incognito window |
| Error persists across devices |
Escalate — possible identity provider misconfiguration |
#Symptom: MFA verification failed
#Diagnostic steps
- Confirm device clock is synchronized (TOTP codes are time-sensitive).
- User enters the current 6-digit code — wait for code rotation if rejected once.
- Admin verifies MFA is Required for the user's role in Security Policies.
- If device lost: admin resets MFA enrollment after identity verification.
- For SMS MFA: confirm mobile number in user profile and carrier delivery.
#Resolution matrix
| Observation |
Action |
| "Invalid code" repeatedly |
Resync device time; re-enroll authenticator |
| New phone, old authenticator |
Admin resets MFA; user scans new QR code |
| SMS not delivered |
Switch to authenticator app; verify SMS gateway config |
| MFA loop after SSO |
Check IdP claim mapping; confirm SSO MFA policy alignment |
#Symptom: SSO / federated login redirect loop
#Diagnostic steps
- Confirm SSO is enabled in Administration > Identity > SSO Configuration.
- Verify IdP metadata (entity ID, certificate expiry, redirect URLs).
- Test with a non-SSO break-glass admin account to isolate IdP vs. platform.
- Inspect browser network tab for 401/403 on callback URL.
- Compare IdP group claims to EGKits role mappings.
#Resolution matrix
| Observation |
Action |
| Certificate expired |
Upload renewed IdP certificate |
| Redirect URI mismatch |
Update allowed callback URLs in IdP and EGKits |
| User provisioned but no roles |
Map IdP groups to EGKits roles |
| Loop only for one user |
Check IdP account linking / duplicate emails |
#Diagnostic steps
- Confirm user is assigned at least one Role with module permissions.
- Verify required Module is enabled at tenant level.
- Check Branch / site scope — user may lack access to current branch context.
- Review recent role changes in Audit Trail.
- User signs out and back in to refresh permission cache.
#Resolution matrix
| Observation |
Action |
| Module not in Apps menu |
Enable module; assign module view permission |
| Can view but not create |
Add create/approve permission to role |
| Branch-restricted data empty |
Assign user to correct branch or grant cross-branch access |
| Worked yesterday, not today |
Check if admin revoked role or module was disabled |
#Symptom: Session expired or frequent logouts
#Diagnostic steps
- Review Session timeout in Administration > Security Policies.
- Check for multiple tabs on different tenants causing token conflict.
- Verify corporate proxy or VPN is not stripping cookies.
- Confirm browser allows third-party cookies if using embedded iframe flows.
#Resolution matrix
| Observation |
Action |
| Timeout after fixed idle period |
Expected behavior — adjust policy if business requires |
| Immediate logout on navigation |
Clear cookies; disable conflicting browser extensions |
| Mobile app session drops |
Update app; confirm background refresh token policy |
#Platform maintenance and outages
| Indicator |
User action |
| Maintenance banner on sign-in page |
Wait for window to complete; follow status page |
| 503 / service unavailable |
Retry after 5 minutes; contact support if prolonged |
| Regional DNS failure |
Verify status with IT; try alternate network |
#Escalation checklist
When opening a support ticket, include:
- Tenant URL and affected username (never send passwords).
- Screenshot or exact text of error message.
- Timestamp with time zone.
- Steps already attempted from this guide.
- Audit trail correlation ID if displayed.