search cancel

Application with identifier https://myidentifier not found in directory

book

Article ID: 252917

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Following configuration of Azure Active Directory as an IdP according to

Configuring Azure as an IdP in CA PAM

The instructions mention to add in the SAML section under Configuration --> Security in CA PAM, your App ID URL, for example https://ip_address as the Entity Id in  RP Configuration.

By doing so SSO login always fails with a message that 

Application with identifier https://ip_addres is not found in directory <Name of Azure AD>

This happens irrespective if the Application ID is specified as https://ip_address or the Redirect URI for the Application registration in Azure defined previously (e.g. https://ip_address/cspm/home) is used (see configuration steps shared earlier).

Environment

CA PAM all releases 

Cause

This is due to the application identifier sent by CA PAM in the assertion request not being a known value to Azure. It does not suffice to use the Web URI or an arbitrary Application Identifier such as the node or cluster primary node IP address, as both of them will be in fact unknown to Azure as the name of a registered application

Resolution

Instead of using the values specified in the documentation, make sure that the value specified in Application ID URI under Application registration --> Your Application registered in Azure for communication with PAM --> Overview is used as the value for App ID URL under Configuration --> Security --> SAML --> RP Configuration in CA PAM

For instance

It may happen that the Application ID URI is empty or not defined.

In this case you can click on Expose an API to have the api value populated and use that one in subsequent steps (see screenshot)

Attachments