If you or your team members are having trouble logging into AI Studios using SAML SSO, the issue is typically related to a misconfiguration in your Identity Provider (IdP) settings. This guide will walk you through the most common causes and how to resolve them.
Confirm You’re Using SAML SSO
AI Studios supports SAML 2.0-based SSO. Other protocols like OAuth or OpenID are not supported.
To use SSO, your company must have:
A SAML-compatible Identity Provider (e.g., Okta, Microsoft Entra ID / Azure AD)
A properly configured SAML application
If you're unsure whether your workspace is using SSO, contact your IT team or workspace administrator.
Common Issues and How to Fix Them
1. IdP login account and AI Studios login email do not exactly match (case sensitive)
• When logging in through MS Entra ID, a Unique User Identifier value is passed to AI Studios • This value must exactly match (including case sensitivity) the login email in AI Studios
How to fix it
Case 1. Change the specified value in Unique User Identifier
Change Unique User Identifier to user.displayname
Set each user's Display name to exactly match (including case sensitivity) their AI Studios login email
Guide to changing the unique user identifier in Microsoft Entra ID
Guide to changing the unique user identifier in Microsoft Entra ID
Step 1: Go to Attributes & Claims for your AI Studios app in Microsoft Entra ID.
Locate the row for the Unique User Identifier and click Edit.
Step 2: On the editing page, find the Unique User Identifier field again.
Click the three-dot menu on the right side of that row.
Step 3: In the Manage Claim menu, look for the Source attribute text box.
It’s likely set to user.userprincipalname by default. Change this value to:
user.displayname
Step 5: Click Save.
Step 6: Make sure every user has their AI Studios login email set as their display name.
Case 2. Configure to pass Unique User Identifier in lowercase !! Prerequisite !!
This method is only possible when the User principal name matches the AI Studios login email exactly, with only case differences
Set Transformation to ToLowercase(user.userprincipalname)
Guide to managing transformation in Microsoft Entra ID
Guide to managing transformation in Microsoft Entra ID
Step 1: Go to Attributes & Claims for your AI Studios app in Microsoft Entra ID.
Locate the row for the Unique User Identifier and click Edit.
Step 2: On the editing page, find the Unique User Identifier field again.
Click the three-dot menu on the right side of that row.
Step 3: Change the Source setting to Transformation. It’s set to Attribute by default.
Step 4: In the Manage Transformation menu, set the Transformation as ToLowercase() .
Step 5: Set Parameter 1 as attribute. Then, select user.userprincipalname under the Attribute Name menu.
Step 6: Save and double check this transportation is saved correctly under the Unique User Identifier. It should be displayed as ToLowercase (user.userprincipalname)
2. Your Workspace Setup Is Incomplete
If your SSO login link doesn’t work, the workspace’s SSO configuration may be incomplete or inactive.
How to fix it
The workspace administrator should:
Go to AI Studios Dashboard → Settings → SSO Settings
Confirm all IdP fields are filled in
Make sure the SSO toggle is turned on
Verify that ACS URL and Entity ID were correctly copied into the IdP
3. Incorrect IdP Details or Certificate
SSO may fail if any of the following is incorrect:
SSO Login URL
IdP Issuer
X.509 Certificate
Certificate expiration
How to fix it
Double-check your Identity Provider configuration against the fields provided in AI Studios:
ACS URL / Callback URL
Audience URI / SP Entity ID
X.509 Certificate
Still Need Help?
If you've verified all of the above and SSO still isn’t working:
Take a screenshot of your IdP’s SAML configuration
Note the email address used during login
Contact your dedicated account manger with the details
We'll help you troubleshoot from there.