Sealed app SSO failed due to invalid sender scheme

Article:TECH213921  |  Created: 2014-01-13  |  Updated: 2014-01-16  |  Article URL
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Under some conditions, sealed apps with production assertion may meet with SSO failure due to invalid sender scheme.

A mobile user loads the sealed app and App Center App on his device, launches the App Center App and types his credentials.  The mobile user then launches the sealed app.  The sealed app prompts the user to join the workspace, to which the mobile user selects Yes.  Before joining the workspace, the following message appears: 

"[App name] is requesting to join App Center-[name] Workspace". Click "Allow".

The user clicks Allow.  Instead of the sealed app opening, SSO fails and the login screen appears.



The scheme is not a match.  One non-match scenario is that when an ISV Portal administrator removes the sealed app from an ISV portal, re-adds it in the ISV portal, and then re-seals the app.   In this scenario, a new UUID is generated. As a result, the new sealed app may experience issues, such as with (single sign-on) SSO.


The workaround to this issue is to avoid a mismatch between the UUID and the scheme. We recommended that you not remove sealed apps and reseal them on the ISV portal.  Instead, we recommend that you upload a new version to the ISV portal (not remove it). This will ensure the UUID is always the same as the scheme. 

Supplemental Materials


Article URL

Terms of use for this information are found in Legal Notices