"Configuration_error" message returned to users when authenticating with Azure SAML IDP server
Article ID: 240844
Updated On:
Products
Issue/Introduction
WSS integrated with Azure IDP server for SAML authentication
Azure setup to send user and group information within the assertion
When a user accesses WSS service, they are correctly redirected to IDP server to authenticate but after credentials are submitted to IDP server, the following configuration_error page with "An invalid certificate was found" message is rendered on the browser:
Looking at the Azure Single sign on logs for the user experiencing the login issues, the following message was reported about a missing claim:
g clue:
Environment
SAML AUthentication with WSS (any access method)
Azure SAML IDP server
Cause
Azure IDP server setup to send multiple attributes in SAML AttributeStatement/claims, but one of the referenced attributes was blank
Resolution
Make sure that SAML IDP server only sends relevant information including user information in the NameIdentifier field, and the group attributes as part of the claims. WSS only needs this information and will ignore any additional information.
In this use case, the IDP server was configured to send multiple attributes one of which was not populated for the user. Instead of sending an assertion, the Azure IDP server sends a 'Responder' status instead of 'Success' and WSS throws an invalid certificate error as this Responder message is not signed.
Additional Information
HAR file from browser used to confirm that the assertion not sent correctly
IDP server side logs can track reason why the assertion not sent.
Feedback
