search cancel

"Configuration_error" message returned to users when authenticating with Azure SAML IDP server

book

Article ID: 240844

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS integrated with Azure IDP server for SAML authentication

Azure setup to send user and group information within the assertion

When a user accesses WSS service, they are correctly redirected to IDP server to authenticate but after credentials are submitted to IDP server, the following configuration_error page with "An invalid certificate was found" message is rendered on the browser:

Looking at the Azure Single sign on logs for the user experiencing the login issues, the following message was reported about a missing claim:

g clue:

Cause

Azure IDP server setup to send multiple attributes in SAML AttributeStatement/claims, but one of the referenced attributes was blank 

Environment

SAML AUthentication with WSS (any access method)

Azure SAML IDP server

Resolution

Make sure that SAML IDP server only sends relevant information including user information in the NameIdentifier field, and the group attributes as part of the claims. WSS only needs this information and will ignore any additional information.

In this use case, the IDP server was configured to send multiple attributes one of which was not populated for the user. Instead of sending an assertion, the Azure IDP server sends a 'Responder' status instead of 'Success' and WSS throws an invalid certificate error as this Responder message is not signed.  

Additional Information

HAR file from browser used to confirm that the assertion not sent correctly

IDP server side logs can track reason why the assertion not sent.

Attachments