Skip to main content

Troubleshooting User Access Issues

How to resolve user access issues with Okta SSO, Microsoft SSO and SCIM.

Troubleshooting User Access Issues

This article helps you resolve common SSO (single sign-on) login and SCIM issues in Hook, including login loops, unexpected verification prompts, SCIM provisioning failures, and users not appearing in Hook after being provisioned through Okta or Microsoft Entra ID.

If you haven't set up your SSO integration yet, see our setup guides for Okta and Microsoft Azure before working through this guide.

Related Articles

Common User Access Issues

The most common SSO and SCIM user access issues are listed below

  • Incorrect redirect URIs or initiate login URIs in your identity provider configuration

  • Missing or incorrectly scoped OAuth permissions in Okta

  • Misconfigured Microsoft Entra ID (Azure AD) app registration settings

  • SCIM endpoint URL or token entered incorrectly in your identity provider

  • Users assigned to the app in your identity provider but not yet synced to Hook

  • A browser session conflict causing a redirect loop

  • The Okta "Verify with Okta" prompt appearing due to an incomplete or conflicting app configuration

How to Fix User Access Issues

SSO login loop (user is redirected repeatedly without logging in)

Problem:
You attempt to log in via SSO and are repeatedly redirected between Hook and your identity provider without ever reaching the app.

Why it happens:
This is usually caused by a misconfigured redirect URI or initiated login URI in your identity provider, or a stale browser session conflicting with the login flow.

Steps to fix:

  1. Clear your browser cookies and cache, or try logging in from a private/incognito window.

  2. Log in to your identity provider (Okta or Microsoft Entra ID) and open your Hook app configuration.

  3. For Okta: navigate to Applications → Your OIDC App → General Settings and confirm the following values are set exactly as shown:

  4. For Microsoft Entra ID: navigate to App registrations → Your Hook app → Authentication and confirm the redirect URI is set to https://hook.eu.auth0.com/login/callback with the platform type set to Web.

  5. Save any changes and ask the affected user to try logging in again from a fresh browser session.

  6. If the issue persists, contact Hook support at [email protected] and share any error codes shown in the browser URL bar during the loop.

"Verify with Okta" prompt blocking the Hook UI

Problem:
After authenticating, users see a "Verify with Okta" screen that doesn't resolve, preventing them from reaching Hook.

Why it happens:
This typically occurs when the Okta app is missing required scopes, or when there is a conflict between the app's sign-on policy and the OAuth configuration.

Steps to fix:

  1. In Okta, navigate to Applications → Your OIDC App → Okta API Scopes.

  2. Confirm that all of the following scopes are granted:

    • openid

    • email

    • profile

    • okta.emailDomains.read

    • okta.users.read

  3. Navigate to Security → Authentication Policies in Okta and check that the policy applied to your Hook app does not require an additional verification step beyond the initial Okta login.

  4. If you recently changed the app's sign-on policy, allow a few minutes for the change to propagate, then ask the user to try again in a new browser session.

  5. If the prompt still appears, contact Hook support with the name of the authentication policy applied to the app so we can investigate further.

Microsoft Entra ID: users unable to log in after app registration

Problem:
Users set up through Microsoft Entra ID (formerly Azure AD) receive an error or cannot authenticate when attempting to access Hook via SSO.

Why it happens:
This is often caused by the app registration being set to the wrong account type, a missing client secret, or an incorrectly configured redirect URI.

Steps to fix:

  1. In the Azure portal, navigate to App registrations and open your Hook app.

  2. Go to Authentication and confirm:

  3. Go to Certificates & secrets and confirm a valid client secret exists and has not expired. If it has expired, create a new one and make a note of the value immediately — it cannot be retrieved later.

  4. Go to Overview → Supported account types and confirm the app is set to Accounts in this organizational directory only (Single tenant).

  5. Share any updated client secret values with Hook support at [email protected] so we can update the configuration on our end.

SCIM provisioning: users not appearing in Hook after being assigned in your identity provider

Problem:
You have assigned users to Hook in Okta or Microsoft Entra ID, but those users do not appear in Hook and cannot log in.

Why it happens:
This is usually caused by an incorrect SCIM endpoint URL, an invalid bearer token, or a provisioning sync that has not yet run.

Steps to fix:

  1. In your identity provider, navigate to the provisioning settings for your Hook app.

  2. Confirm the SCIM connector base URL and bearer token match exactly what was provided by Hook during setup. Even a small difference (such as a trailing slash) will cause provisioning to fail.

  3. In Okta, navigate to Applications → Your App → Provisioning → Integration and click Test Connector Configuration to check whether Okta can reach the Hook SCIM endpoint successfully.

  4. In Microsoft Entra ID, navigate to Enterprise applications → Your Hook app → Provisioning → Provisioning logs to view any sync errors.

  5. If the test fails or logs show errors, contact Hook support and share the error message. We will verify the endpoint configuration on our side and issue a new token if needed.

  6. If the test passes but users still aren't appearing, trigger a manual sync:

    • Okta: Go to Provisioning → Push Groups or Assignments and push the user manually.

    • Microsoft Entra ID: Go to Provisioning → Provision on demand and enter the user's details to force an immediate sync.

  7. Allow up to 10 minutes after a successful sync for the user to appear in Hook.

Provisioned users appear in Hook but cannot log in via SSO

Problem:
A user exists in Hook (you can see them in the user list) but they receive an error or are unable to authenticate when they try to log in.

Why it happens:
This can happen when the email address in Hook does not exactly match the email address used by the identity provider, or when the user's Hook account was created manually before SSO was configured.

Steps to fix:

  1. In Hook, navigate to your organisation's user settings and locate the affected user.

  2. Confirm that the email address shown in Hook exactly matches the email address used to authenticate in Okta or Microsoft (including capitalisation and domain).

  3. If they don't match, update the email address in your CRM (e.g. HubSpot, Salesforce) to match the identity provider. Reach out to [email protected] if you run into issues.

  4. Ask the user to clear their browser cache and try logging in again via the SSO flow.

  5. If the issue continues, contact Hook support at [email protected] and provide the user's email address and the identity provider being used.

Cannot add or delete users via SCIM

SCIM allows your identity provider to manage certain user attributes in Hook automatically but not add or delete users. Here's a quick reference for what is and isn't supported.

What can be done via SCIM

  • Updating user roles — change whether a user is a Manager, Technical Admin, Member, etc.

  • Updating management hierarchy — control who manages whom in Hook, which determines what each person sees in the Team Overview.

  • Deactivating and reactivating users — suspend or restore access without removing the user's data from Hook.

What can't be done via SCIM

  • Adding new users to Hook — new users must be added to your CRM. SCIM alone cannot create net-new Hook users.

  • Permanently deleting users from Hook — deactivation is supported, but full deletion must also be handled through the users in your CRM.

Speak to [email protected] for further details on your organisation's set up.

What if I need to add a user who doesn't have an account in our organisation's CRM?

This is possible, but it needs to be handled by the Hook team. To get this done, share the name(s) and email address(es) of the individuals with us at [email protected].

Who should I contact if none of these steps resolve the issue?

Reach out to Hook support at [email protected] with the following information to help us investigate quickly:

  • The identity provider you're using (Okta or Microsoft Entra ID)

  • The symptom you're experiencing (e.g. login loop, SCIM failure, user not appearing)

  • Any error messages or codes shown in the browser or your identity provider's logs

  • The email address of any affected users

Did this answer your question?