The following items must be reviewed:

1. The federation.properties file under NX_ROOT\bopcfg\www\CATALINA_BASE\shared\resources\federation.properties

Ensure the values are set in the following way:

federation.trustedissuers.issuer=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 4 > Login URL > change /saml2 to/wsfed>
federation.trustedissuers.thumbprint=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 3 > Thumbprint>
federation.trustedissuers.friendlyname=<paste here the value from Azure> Enterprise Application > <Application name> > Single sign-on > Item 4 > Azure ID Identifier>
federation.audienceuris=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe|https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
federation.realm=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
federation.enableManualRedirect=false
federation.reply=https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe

Note: ensure there is no uppercase in the value set for federation.enableManualRedirect

2. SDM uses the claims “name” to validate the user (userid of ca_contact and EEM if applicable). The screenshot below shows the information passed from Microsoft to SDM:

In the example above, the claims name testXXXXX@XXXXXXX.onmicrosoft.com is passed to the SDM server to check if the user exists in SDM (userid in ca_contact and in EEM)

XXXX represents the actual text which has been redacted in the above screencap due to security concerns.

Review the following:

2.1 That testXXXXX@XXXXXXX.onmicrosoft.com userid exists in ca_contact.

You can run the following query to confirm:

Select userid,* from ca_contact where userid = 'testXXXXX@XXXXXXX.onmicrosoft.com'

The result should show 1 row.

2.2 If using EEM: That testXXXXX@XXXXXXX.onmicrosoft.com Principal Name exists in EEM.

Example:

2.3 In Azure, the User Principal Name is testXXXXX@XXXXXXX.onmicrosoft.com for your user

Example: