Error in WebUI "User user@domain.com is not authorized on this app"
ON-PREMISES
CLOUD (see at bottom)
Applies to Boston 2.0+
This article describes how to resolve the issue "User user@domain.com is not authorized on this app" when accessing the Boston WebUI.
Symptoms
When SSO is implemented, a user tries to authenticate by using his credentials from their Office 365 tenant. The authentication succeeds, but in the WebUI an error message appears with exclamation icon that user is not authorized on this app. And the only possibility is to logout.
Moreover, logging out will not help because since SSO is activated, users from this Office 365 tenant will not be able to access the Web UI unless this issue is solved.
Problem
This issue can happen in both Cloud or On-premises version of Boston.
This issue happens because Tenand-ID is not properly set in the database for this Boston installation.
Tenant-ID is set during first logon and the process will take the Tenant-ID of the user logging on.
This issue occurs with a screenshot similar to the one below:
Note that user authentication is successful on the GSX Gizmo Enterprise app in Azure.
This issue can be solved by putting the correct Tenant-ID in the SQL Database.
Solution
Ensure you have the correct Tenant-ID from the customer. You can directly ask to your customer to ensure you have the correct information.
Alternatively, you can ask your customer to refer to article How to check Microsoft Azure AD tenant GUID (gsx.com) to fetch the Tenant ID, or check it by yourself.
With SQL Management Studio, check the “tenantId” value in the JSON found in the table “WebUi_Configuration“ from the Gizmo DB used by this customer. It should be different compared to the Tenant ID you got from your customer.
Note the old “tenantId” value (just in case you need to revert).
Replace the old “tenantId” value only with the correct one. Do not change anything else!
INTERNAL ONLY - For this last step (replace “tenantId”) you can refer to the article Single sign-on - Additional Tenant configuration - SW Development Documentation - Confluence (atlassian.net) but ONLY focus on the “tenantId”.
Once done, users from the correct Tenant ID should be able to log on without this error.
Ensure you save the previous Tenant ID in case it should be reverted.
CLOUD
If the issue occurs with Boston SaaS, please reach out to the IT Ops team to make the change. You should provide them with the correct Tenant ID. You can open such a ticket via ZenDesk.