SAC Portal enabled with local authentication.
To integrate SAC with WSS, both platforms need a SAML Identity provider.
Trying to add the Azure Identity provider to SAC (WSS is already integrated), SAC admin would get the following error saving the Azure AD Identity Provider configuration on SAC:
Azure AD prerequisites as defined in the SAC Azure AD Identity Provider documentation were completed.
WSS
SAC
Misconfiguration of Azure AD client application.
Copy the right Application ID to the SAC configuration
The various Application IDs required in the SAC Identity Provider setup can be confusing. The following highlights which Azure fields provide the right information needed for the SAC Identity provider setup to complete successfully:
1. Tenant and Application ID are both available from the OVERVIEW page for the Azure SAC Application
2. The Application key is available from the Client and secrets field and is the Application value and NOT the Application secretID!
3. A common mistake to to avoid adding all the Application permissions - the following MUST all be enabled and accessible
WHen troubleshooting Azure issues with access tokens, the following guide includes all error code and reasons for error - an extremely useful guide for authentication and authorization type errors:
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes