Error: Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site
While following the instructions in the Configure a SAML-compliant identity provider with your portal documentation for Active Directory Federation Services (AD FS) 2.0 and above, under step 3 of the Configuring your portal with a SAML identity provider header, the following options are available:
- Allow users to join the organization automatically, or
- Allow users to join the organization only after accounts to the portal are added
When the second option is selected, sometimes, an error message is returned.
Error: Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site.
This happens if the Lightweight Directory Access Protocol (LDAP) Attributes are mapped to Outgoing Claim Types incorrectly.
For example, the error message is returned if the User-Principal-Name (UPN) attribute is mapped to the Name ID Outgoing Claim Type, and the UPN username to add the member to the Portal is incorrect.
The error message is also returned if other components like the first name and last name are provided incorrectly while adding the Portal member.
Solution or Workaround
Provide the UPN and other attributes as set in the AD FS Server.
To find the correct UPN, launch the command prompt on any computer within the same network as the AD FS Server and run the command 'whoami /upn'. This lists the UPN of the logged-in user.