Troubleshooting SSO sign-in issues

Overview

This article helps you resolve issues signing in to Ramp with single sign-on (SSO), including Google SSO and SAML-based providers like Okta, Microsoft Entra ID, and OneLogin. If you need to set up SSO for the first time, see Setting up single sign-on (SSO) in Ramp.

Each section below covers a specific error message or scenario. Find the message or situation that matches what you see, then follow the steps to resolve it.

"SSO configuration error"

If you see "SSO configuration error" with a message like "Your SSO system returned an error," your identity provider (IdP) returned an error during the SAML authentication process.

Common causes

• The SAML attribute mapping in your IdP is missing required fields. Ramp requires first name , last name , and email attributes.
• The SAML certificate has expired.
• The Assertion Consumer Service (ACS) URL or Entity ID in your IdP does not match Ramp's configuration.

How to resolve

IT admins: Check your IdP's SAML configuration and verify the following:

1. The attribute mapping includes first name, last name, and email.
2. The SAML certificate is current and not expired.
3. The ACS URL and Entity ID match the values shown in Ramp's SSO settings.

For setup details, see Setting up single sign-on (SSO) in Ramp.

Employees: Share the exact error message with your IT administrator so they can investigate.

"Email mismatch"

If you see "Email mismatch" with the message "The email from your SSO provider doesn't match your Ramp account," the email address your IdP sends during authentication does not match the email on your Ramp account.

Common causes

• Your company recently changed email domains (for example, from @oldcompany.com to @newcompany.com ), and either Ramp or the IdP still has the old email.
• Your name changed and your email was updated in one system but not the other.
• You are signing in with a personal email account instead of your work account.

How to resolve

IT admins: Verify that the user's email address in your IdP matches their email in Ramp. If your company recently migrated email domains, update the email in both systems to match.

Employees: Confirm you are signing in with your work email, not a personal account. If your email recently changed, ask your IT administrator to align your email across Ramp and your IdP.

If your company recently migrated to a new email domain, your IT administrator also needs to update the domain in Ramp's SAML provider configuration. See "SSO sign-in failed" if users with the new domain cannot find an SSO option.

"Invalid certificate response"

If you see "Invalid certificate response" with the message "We received an invalid certificate response from your identity provider," the SAML certificate your IdP sent could not be validated.

Common causes

• The SAML signing certificate in your IdP has expired.
• The certificate was recently rotated in your IdP but the new certificate was not uploaded to Ramp.
• The certificate in Ramp's SSO settings does not match the certificate your IdP is using to sign responses.

How to resolve

IT admins:

1. Check your IdP for the current signing certificate and its expiration date.
2. If the certificate was recently rotated, download the new certificate from your IdP.
3. Upload the updated certificate or re-upload your IdP metadata in Ramp's SSO settings.

For instructions on updating SSO settings, see Setting up single sign-on (SSO) in Ramp.

Employees: Contact your IT administrator and let them know you are seeing a certificate error when signing in.

"SSO sign-in failed"

If you see "SSO sign-in failed" with the message "Your SSO provider isn't configured for [your email]," your email domain is not linked to a SAML provider in Ramp.

Common causes

• Your email domain has not been added to the SAML provider configuration in Ramp.
• Your company uses multiple email domains and only some are configured for SSO.
• You are entering an email address that belongs to a different domain than the one configured for SSO.

How to resolve

IT admins: Go to Ramp's SSO settings and verify that the user's email domain is included in the SAML provider configuration. If your company uses multiple domains, add each domain that should use SSO.

Employees: Check with your IT administrator to confirm which email address you should use for SSO sign-in. If you have multiple email addresses, try signing in with your primary work email.

"Sign-in method unavailable"

If you see "Sign-in method unavailable" with the message "Your administrator has disabled this sign-in method," the sign-in method you are trying to use has been turned off for your role.

IT admins: Review the sign-in methods enabled for each role in your organization's settings. If a role should have access to a specific sign-in method, re-enable it.

Employees: Contact your IT administrator to find out which sign-in method is available for your account. Your administrator controls which sign-in options are enabled for different roles.

"Account is missing required information"

If you see "Your account is missing required information" after completing SSO authentication, it means the SSO handshake with your identity provider succeeded, but Ramp could not finish signing you in because your account is missing data that Ramp requires.

This is different from the SSO configuration error messages above — those occur when the IdP itself returns an error. This error occurs after your IdP authenticates you.

Common causes

• Your Ramp account was created but is incomplete — for example, a required profile field was never filled in.
• Your identity provider is not sending all required attributes (first name, last name, email) in the SAML assertion, so Ramp cannot populate your account.
• You were recently added to the organization but your account setup is not yet complete.

How to resolve

IT admins: Verify that the user's account exists in Ramp and that all required fields are populated. Also check that your IdP's SAML attribute mapping sends first name, last name, and email. If the user was recently invited, confirm that they completed the account setup process.

Employees: If you received an invitation to join Ramp, check whether you completed all the steps in the invitation email. If you are unsure, ask your IT administrator to verify your account status. If the issue persists, contact Ramp Support.

SSO authenticates but Ramp shows an error

In some cases, your identity provider authenticates you successfully (you see your IdP's sign-in screen, enter credentials, and are redirected back) but Ramp displays a generic error such as "Unable to sign in, please try again later" instead of signing you in.

This indicates a problem on the Ramp side of the sign-in flow, not with your identity provider.

1. Wait a few minutes and try again — this may be a temporary service issue.
2. Clear your browser cookies for app.ramp.com and try signing in from an incognito or private window.
3. Ask your IT administrator to check whether any changes were recently made to your Ramp account or SSO configuration.

If the error continues, contact Ramp Support with your email address, the approximate time of the error, and any error message you see on screen. Mention that your IdP authentication succeeded but Ramp returned an error afterward.

Google SSO not working

If you are unable to sign in using Google SSO, there are several possible causes.

Wrong Google account selected

If you have multiple Google accounts signed in to your browser, you may have selected the wrong one. Try the following:

1. Open an incognito or private browser window.
2. Go to app.ramp.com/sign-in .
3. Select the Google SSO option and sign in with your work Google account.

Personal Gmail vs. work email

Google SSO requires a Google Workspace account associated with your company. If your company does not use Google Workspace, or if you are trying to sign in with a personal Gmail address, Google SSO will not work. Check with your IT administrator about which sign-in method to use.

Google SSO disabled by Admin

Your administrator may have disabled Google SSO for your organization or role. Contact your IT administrator to confirm whether Google SSO is enabled.

"Oops, something went wrong"

This is a generic error that can appear during Google SSO for a variety of reasons. Because the message does not specify a cause, try these steps in order:

1. Open an incognito or private browser window and try signing in again — this rules out cached credentials or a wrong Google account.
2. Make sure you are selecting your work Google account, not a personal Gmail account.
3. Clear your browser cookies for app.ramp.com and accounts.google.com , then try again.
4. Try a different browser.

If the error persists after these steps, ask your IT administrator to verify that your Google Workspace account is active and that Google SSO is enabled for your organization in Ramp. If the issue remains unresolved, contact Ramp Support with a screenshot of the error and the email address you are using.

Popup blocked

Google SSO opens a popup window to complete authentication. If your browser blocks the popup, see Popup errors below.

I don't see an SSO option on the sign-in page

Ramp's sign-in page dynamically shows the available sign-in methods based on the email address you enter. If you do not see an SSO option:

• Verify your email address. Make sure you entered the correct work email. SSO options appear only for email domains that have SSO configured.
• Check with your IT administrator. SSO may not be set up for your organization or your specific email domain. Your administrator can verify SSO configuration in Ramp's settings.
• Try a different email. If your company uses multiple email domains, the SSO option may be linked to a specific domain.

If you see "No sign-in methods configured" with the message "Contact your IT administrator for assistance," no sign-in methods have been set up for your email. Contact your IT administrator to resolve this.

Popup errors

SSO sign-in uses a browser popup to communicate with your identity provider. If the popup is blocked or closed prematurely, you may see one of these messages:

• "Popup closed without completing sign in" — The popup was closed before authentication finished. Try signing in again without closing the popup window.
• "Popup blocked" — Your browser prevented the popup from opening.

1. Allow popups for app.ramp.com in your browser settings.
2. Disable any browser extensions that block popups.
3. Try a different browser or an incognito/private window.
4. Sign in again after allowing popups.

Admin locked out because SSO is broken

If you are an admin and SSO is misconfigured for your organization, you may be unable to sign in to fix the issue yourself. Ramp does not currently offer a way to bypass SSO from the sign-in page.

To regain access, contact Ramp Support and provide your company name and admin email address. The Support team can help restore access to your account.

Does Ramp support IdP-initiated SAML?

Ramp does not support IdP-initiated SAML sign-ins. Ramp uses SP-initiated (service-provider-initiated) SAML only, which means sign-in must start from Ramp's sign-in page.

If you try to launch Ramp directly from your IdP portal (for example, from an Okta or Entra ID app tile configured as a SAML launch), the sign-in will fail.

Ramp previously supported a "bookmark URL" flow (https://app.ramp.com/sign-in/saml/\<Unique ID>) that simulated an IdP-initiated sign-in, but this flow was deprecated due to browser changes in early 2024. Users with these bookmarks now see a Ramp sign-in page and must use the Sign In button to continue.

• Bookmark app.ramp.com/sign-in and start your sign-in from there.
• If your IdP supports configuring app tiles as bookmark links instead of SAML launches, your IT administrator can set up the Ramp app tile to redirect to app.ramp.com/sign-in .

For more details on SP-initiated vs. IdP-initiated SAML and the deprecated bookmark flow, see SAML IdP-initiated sign-ins.

Frequently asked questions

Can I use SSO and still be asked for MFA?

Yes. Even after signing in with SSO, Ramp may prompt you for multi-factor authentication (MFA) as a step-up verification for sensitive actions, such as approving large transactions or changing account settings. This is a separate security layer from the SSO sign-in itself. If you need to change or recover your MFA method, see Recover or update your MFA method. For other MFA issues, see Troubleshooting Ramp sign-in and MFA issues.

Can I switch between SSO and password sign-in?

This depends on your organization's sign-in controls. Administrators can configure which sign-in methods are available for each role. If SSO is the only method enabled for your role, you will not see a password option on the sign-in page. Check with your IT administrator about which methods are enabled for you.

I was removed from my company's IdP group. What happens?

If you are removed from the SSO group in your identity provider, SSO sign-in will fail because your IdP will no longer authenticate you for Ramp. Contact your IT administrator to be re-added to the appropriate IdP group. If your administrator has enabled an alternate sign-in method for your role, you may be able to use that method in the meantime.

I'm a new employee and SSO gives an error on my first sign-in.

If you were recently invited to join Ramp and get an error when trying SSO for the first time, complete your account setup before attempting SSO:

1. Go back to the original invitation email and follow the link to finish any remaining setup steps.
2. If the invitation link has expired, ask your IT administrator to re-send it.
3. After completing setup, go to app.ramp.com/sign-in and try SSO again.

If SSO still fails after setup, ask your IT administrator to verify that your email is included in your company's SSO group. You may also see the "Account is missing required information" error if your account is incomplete.

My company switched identity providers entirely (e.g., Google to Microsoft). What do we do?

Switching identity providers — for example, migrating from Google Workspace to Microsoft Entra ID — requires updating your SSO configuration in Ramp, not just changing email domains. Your IT administrator needs to:

1. Set up the new SAML provider in Ramp's SSO settings following the instructions in Setting up single sign-on (SSO) in Ramp .
2. Verify that the new provider's domain configuration matches your users' email domains.
3. Test the new SSO flow before removing the old provider.

If your old provider has already been decommissioned and users cannot sign in, see Admin locked out because SSO is broken for steps on regaining access.

Ramp is asking me to set up a passkey instead of using SSO

Ramp may prompt users to set up a passkey as an additional sign-in method, even if your organization uses SSO. This does not replace SSO — it is an optional alternative sign-in method. If you prefer to skip the passkey setup and continue using SSO, look for an option to skip or dismiss the prompt. If the prompt is blocking your sign-in or appearing repeatedly, ask your IT administrator to review your organization's sign-in method settings, or contact Ramp Support for guidance.