After enabled External IDP (SAML), AD users cannot be authenticated when logging with App Center Agent.
In the App Center Agent, end user will get a error message saying:
401 - Unauthorized: Access is denied to invalid credentials.
Integrated Windows authentication (IWA) is set by default in the AD Federation Services. App Center supports "Forms-based authentication" (FBA) and it was not set in the web.config file.
In order to enable end users to be authenticated, we need to make sure that the "Forms-based authentication" (FBA) is properly set in the web.config file. FBA needs to be move to the top of the <localAuthenticationTypes> as below:
<add name="Forms" page="FormsSignIn.aspx" />
<add name="Integrated" page="auth/integrated/" />
<add name="TlsClient" page="auth/sslclient/" />
<add name="Basic" page="auth/basic/" />
The web.config file can be found under <>:\inetpub\adfs\ls. For more information, please see the following articles:
How to configure App Center with ADFS SAML provider
Configure ADFS for Forms Based Authentication (FBA):
Symantec App Center 4.x
External Identity Provider - SAML