Hello Team,
We are encountering an issue while trying to log in via SSO using Microsoft Azure AD on our CHT instance (v4.20.0)
When attempting to log in with SSO, users see the error message:
On the backend, the logs show:
'content-type': 'application/json',
date: 'Thu, 19 Jun 2025 10:48:29 GMT',
server: 'CouchDB/3.4.2 (Erlang OTP/25)',
'www-authenticate': 'Basic realm="administrator"',
'x-couch-request-id': '35cf70c0f7',
'x-couchdb-body-time': '0'
},
ok: false
}
}
2025-06-19T10:48:29.390 ERROR: Error logging in via SSO: Error: Error getting authCtx
at unauthorizedError (/service/api/src/controllers/login.js:202:17)
at getUserCtxRetry (/service/api/src/controllers/login.js:294:11)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async oidcLogin (/service/api/src/controllers/login.js:571:23) {
[stack]: [Getter/Setter],
[message]: 'Error getting authCtx',
status: 401
}
2025-06-19T10:48:29.391 RES: 8f2e1a6645a6 10.17.8.66 - GET /medic/login/oidc?code=1.ATAANFOKnnxJik2nl3mXz4zHY8vQmoofaetKvjiScJHD9g9DAQAwAA.AgABBAIAAABVrSpeuWamRam2jAF1XRQEAwDs_wUA9P-W5ULZ0dSxt4hV0zlJ_82hOSA5BlzS8ldHwK6SKhGKpA5yS_i6_v_g_Sd5cQBA3dzsQOGyoaVkSxgVaKlzYe06TxMWxjkxlnIWBsXsXlf0Ae8_97a6BBsnY9MyTQ6BMVRkOBAgQGv9CFlY7zG1zI4TdPt8S8AyE8n_W-rXsR8zONjnHQ9d4L80inPitHDAWBjVk0kZGiZPQDn0MysV8xxfuBxdilVPZP-RCS-647ZzgCbCrf5GLGJJik8gQJ18T09r6P9Kk6q0DhPrpQrzn1I-l88xoFgQNReoxPB5ak5x8rbGLVR0o4zmXaXtXWu8mtB9A7FS5xzdLwK2-lYFv3Fv6A4KwavvbJKYZfKvljywfuKuMOrm6c0am6VsZ-I_58N01O94CmBG_o-5onhAJ8A43hromImvu-n9vod2au-9H_L-gXR-wBWN33Xc2c214MYIMFzVUTlfOFZar1hyQZRZgGgMNgMLuu9xAw4atDnbqVum5YvIi2zcDalaNcYfxWB32_1J0-90PWFu7sl436EWoDjDhVw_Ckk201lNLuAoOvyqbA8t4w0N7jPmoCzDOGCAmW_c2zlEy1yuPijXEvzFE0iWdgs9tKgZX5GOecJBzUBiaFHA2PErMaemjukhIqCpC_N5fCRfE0J_LuIebfxnmMXd_xc57sC31lIZVDA3wc_a3idfMAnjYpx1NdoU4EFBNIlw3HCKCU2lsLDexGnrF_Zyl1Y&session_state=005e7b99-7f1a-5b60-f01f-2d45bffd54b5 HTTP/1.1 302 66 561.168 ms
2025-06-19T10:48:29.578 REQ: b4eed8429d5e 10.17.8.66 - GET /medic/login?sso_error=ssouserinvalid HTTP/1.1
2025-06-19T10:48:29.613 RES: b4eed8429d5e 10.17.8.66 - GET /medic/login?sso_error=ssouserinvalid HTTP/1.1 304 - 33.605 ms
Here is the relevant section from our base_settings;
"app_url": "<https://url>",
"oidc_provider": {
"discovery_url": "https://login.microsoftonline.com/<tenent_id>/v2.0/.well-known/openid-configuration",
"client_id": "<client_id>"
}
Sample User Document (in CouchDB)
{
"_id": "org.couchdb.user:testsso",
"_rev": "1-bcffafc917a579a1251e30b534a8507e",
"password_scheme": "pbkdf2",
"pbkdf2_prf": "sha256",
"salt": "8aa59f94700f0d5f8d506ac58e4d8611",
"iterations": 600000,
"derived_key": "e5e5a11fadc7407a9055de3d1208fccd9e3fa9c28d04cac44ce329887726e0b3",
"name": "testsso",
"type": "user",
"password_change_required": false,
"roles": [
"chw"
],
"oidc_username": "raphaelkenyuri@gmail.com",
"facility_id": [
"b86793d3-4ea8-4721-99ab-5ef0fbc773f1"
],
"contact_id": "d5788548-d23f-4c82-b924-4676b6ca3d2f"
}
Please help on resolving this.