Application with identifier https://myidentifier not found in directory
Article ID: 252917
Updated On:
Products
Issue/Introduction
Following configuration of Azure Active Directory as an IdP according to documentation page Azure AD as an Identity Provider (IdP).
The instructions mention to add in the SAML section under Configuration > Security > SAML > RP Configuration in PAM, your App ID URL, for example https://ip_address as the Entity Id.
By doing so SSO login always fails with a message that
Application with identifier https://ip_address is not found in directory <Name of Azure AD>
This happens irrespective if the Application ID is specified as https://ip_address or the Redirect URI for the Application registration in Azure defined previously (e.g. https://ip_address/cspm/home) is used (see configuration steps shared earlier).
Cause
This is due to the application identifier sent by CA PAM in the assertion request not being a known value to Azure. It does not suffice to use the Web URI or an arbitrary Application Identifier such as the node or cluster primary node IP address, as both of them will be unknown to Azure as the name of a registered application
Resolution
Instead of using the values specified in the documentation, make sure that the value specified in Application ID URI under Application registration > Your Application registered in Azure for communication with PAM > Overview is used as the value for App ID URL under Configuration > Security > SAML > RP Configuration in CA PAM
For instance
It may happen that the Application ID URI is empty or not defined.
In this case you can click on Expose an API to have the API value populated and use that one in subsequent steps (see screenshot)
Feedback
