Login Issues
This page covers common login and authentication problems across all Prism portals and how to resolve them.
"Authentication Required" Screen
Problem: You see an "Authentication Required" or generic login screen instead of being redirected to your identity provider.
Cause: You are not using the correct organization Prism URL, or you have not completed the authentication flow.
Solution:
- Navigate to your organization's Prism URL (e.g.,
https://yourcompany.prism.cloudkeeper.com). - Authenticate using SSO or username and password.
- After authentication, you are redirected to the application selection screen. Click the portal you want to access (Admin Portal, JIT Portal, or CloudTrail).
- If you do not know your organization's Prism URL, contact your administrator.
SSO Redirect Loop
Problem: Your browser continuously redirects between Prism and your identity provider without completing login, or you see an error about too many redirects.
Cause: This typically occurs due to a misconfigured identity provider, expired browser cookies conflicting with the SSO flow, or mismatched redirect URIs.
Solution:
- Clear your browser cookies and cached data for both the Prism domain and your identity provider domain.
- Close all browser tabs and try logging in again in a fresh browser window or incognito/private mode.
- If the problem persists, verify the identity provider configuration in the Admin Portal under Identity Providers:
- Check that the redirect/callback URLs in your IdP match the ones expected by Prism.
- Verify the Client ID and Client Secret are correct.
- See SSO Configuration Issues for provider-specific troubleshooting.
"Access Denied" After Login
Problem: You successfully authenticate with your identity provider but see an "Access Denied" error when redirected back to Prism.
Cause: Your user account has not been provisioned in Prism. Authenticating with your IdP does not automatically create a user in Prism unless SCIM provisioning is configured.
Solution:
- Contact your organization's Prism administrator and ask them to:
- Create your user account in the Admin Portal under Users.
- Or configure SCIM provisioning to automatically sync users from your identity provider (Preferences > SCIM).
- If SCIM is already configured, verify that your user account exists and is active in your identity provider.
- Check that your user is assigned to the correct groups in the IdP that are being synced to Prism.
Password Login Fails at /init
Problem: You are trying to log in to the Admin Portal at /init using username and password, but authentication fails.
Cause: Incorrect credentials, the account may be locked after too many failed attempts, or the account does not have password-based login enabled.
Solution:
- Verify that you are entering the correct username and password. Usernames are case-sensitive.
- If you have forgotten your password, contact your Prism administrator or CloudKeeper support to reset it.
- If your account has been locked due to repeated failed login attempts, wait for the lockout period to expire or contact your administrator to unlock the account.
- The
/initlogin is for the Super Admin account created during initial onboarding. If your organization uses SSO, navigate to the main organization Prism URL instead and log in through your identity provider.
Mobile Access Blocked
Problem: You cannot access the Admin Portal from a mobile device, or the interface does not display correctly on mobile.
Cause: The Admin Portal is designed for desktop browsers and does not support mobile access. The JIT Portal, however, is accessible from mobile devices.
Solution:
- For the Admin Portal, use a desktop or laptop computer with a modern browser (Chrome, Firefox, Safari, or Edge).
- For the JIT Portal, mobile access is supported. If you are having issues on mobile:
- Ensure you are using a modern mobile browser (Chrome or Safari).
- Try clearing your mobile browser cache.
- Ensure you are using the correct organization Prism URL.
- The CloudTrail is also designed for desktop use.
Token Expired / Session Timeout
Problem: You are logged in but suddenly see a session expired message, or you are redirected to the login page while working.
Cause: Your authentication session has timed out due to inactivity or the session token has expired.
Solution:
- Log in again by navigating to the appropriate portal URL. Your session will be re-established.
- If sessions are expiring too quickly, contact your administrator. Session duration may be configurable at the identity provider level.
- Avoid leaving the portal idle for extended periods. If you need to step away, save any work in progress before returning.
SSO Callback Error
Problem: After authenticating with your identity provider, you see an error page mentioning a callback failure, invalid state, or mismatched redirect URI.
Cause: The redirect/callback URIs configured in your identity provider do not match the URIs expected by Prism. This can also occur if you bookmarked an old or invalid login URL.
Solution:
- Do not use bookmarked login URLs. Navigate directly to the portal URL and let the SSO flow initiate naturally.
- If you are an administrator, verify the redirect URIs in your identity provider:
- Google OAuth: Check authorized redirect URIs in the Google Cloud Console.
- Microsoft OAuth: Check reply URLs in Azure AD app registration.
- Custom OIDC: Check redirect URIs in your OIDC provider configuration.
- The callback URLs must match exactly, including the protocol (
https://), domain, and path. - See SSO Configuration Issues for detailed provider-specific guidance.
Still Having Issues?
If none of the above solutions resolve your login problem:
- Check the SSO Configuration page for identity provider-specific issues.
- Verify your role and expected access level with your administrator.
- Contact your organization's Prism administrator with the exact error message and the URL you are trying to access.
- If you are an administrator, contact CloudKeeper support with your realm name and a description of the issue.