Access Management: Troubleshooting and Best Practices
The Access Management module of Tools4ever’s HelloID Identity and Access Management (IAM) solution ensures that authorized users receive the right access at the right time. The reliability of the integrations between HelloID and your applications is therefore critical. A set of best practices helps you safeguard this reliability and build a future-proof environment. In this article, we examine these best practices. We also cover troubleshooting applications and integrations so that you can quickly resolve any issues that may arise.
How should users sign in?
Several best practices help you optimize your HelloID environment and the associated integrations. If you are starting with HelloID Access Management, the first key question is how you want users to sign in to HelloID. Consider not only the current state of your organization, but also anticipate future plans. This enables you to configure the module for long-term viability.
In many cases organizations choose to sign in with Active Directory. If you plan to transition to Entra ID in the coming years, it may be advantageous to choose Entra ID as the sign-in method when configuring Access Management today. In that case multi-factor authentication (MFA) is handled by Entra ID rather than HelloID. This is beneficial because switching MFA or sign-in methods later requires considerable effort.
Which source system will you use?
Beyond the sign-in method, it is important to decide which source system you will use to load users. You can use a range of systems, from Active Directory and Entra ID to Google Workspace. You can also create users directly from HelloID Provisioning.
Again, anticipate future plans. The attribute set differs per source system, and for example is much larger in Active Directory than in many other systems. This can introduce risk. If you pass specific Active Directory attributes when users sign in via Single Sign-On (SSO), the source system you plan to move to may not have those attributes and therefore cannot share them. This can cause issues with SSO integrations.
HelloID also supports multiple identity providers (IdPs). This allows you to synchronize users from Active Directory while signing in with another IdP such as Entra ID or Google Workspace.
Do you want to use a custom or white-label domain?
An important consideration when configuring HelloID Access Management is the domain name linked to your HelloID environment. Changing this domain name is complex and has a major impact on SSO. In most cases vendors must reconnect applications to HelloID. This not only requires effort, but can also take time. Changing domains can therefore cause SSO integrations to stop functioning until the vendor has made adjustments, which directly affects user workflows.
Decide up front whether you will use the default domain or a custom or white-label domain. By making this choice now, you can configure HelloID Access Management correctly from the start, so you do not need to change the domain later.
Troubleshooting applications
Even with a correctly configured HelloID Access Management environment, issues can occur. An application vendor may introduce changes that affect the integration with HelloID. Or a mistake may have slipped into a business rule. Troubleshooting application issues helps you identify the root cause so that you can fix it as quickly as possible.
Issues with web browsers, devices, or networks
In practice, many SSO integration issues trace back to the user’s web browser, device, or even network. Shared devices can create problems. Cookies from other accounts can disrupt SSO integrations. Sessions for the target application can also remain open if users do not sign out.
For troubleshooting application issues, first try signing in using a browser’s incognito or private mode. In this mode the browser does not store cookies and automatically terminates sessions when you close it. You start with a clean slate each time. If this resolves the problem, the issue is most likely related to the user’s browser.
Are the correct permissions assigned and are the required attributes available?
Another step is to check in HelloID whether the user has the correct permissions to open the application. Also verify that the attributes the application requires for user sign-in are available in your source system.
Issues with plugins
Are users experiencing issues with a plugin? Verify that users have correctly signed in with the plugin. At the start of a browsing session, users must first visit the SSO dashboard to allow plugins to sign in so that they function properly. It can be helpful to set the browser start page to the SSO dashboard so that it loads automatically when users open the browser.
Server-side issues
In some cases the root cause is not the user but the server. An example is an expired SSL certificate linked to an SSO application. Subscribe to certificate alerts through HelloID’s built-in incident system so you are notified automatically when certificates expire. Note: if your SSL certificate has expired, you must replace it with the vendor or application administrator in many cases. Many applications do not automatically import the certificate when you change it in HelloID.
Make sure you do not lock yourself out
If you start working with access rules, be aware that small mistakes can have a big impact. If you change the wrong rule or remove a critical rule, you may lock yourself out. In that case contact our service desk. They can help you regain access to your HelloID environment so you can get back to work quickly.
Get started
Ready to get started with HelloID Access Management? You can find more information about the capabilities on our website. Do you have questions? Our experts are ready to help.