"400 LOGIN FAILED" error when logging into Cloud SWG Portal using SAML IDP server
search cancel

"400 LOGIN FAILED" error when logging into Cloud SWG Portal using SAML IDP server

book

Article ID: 266819

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cloud SWG administrators want to login via an Azure SAML IDP server rather than local login.

After making the appropriate configuration changes (on Azure and Cloud SWG side), admins were correctly redirected to Azure IDP server to login.

After logging into Azure, the admin is redirected to Cloud SWG where the following 400 error with GENERAL_NONSUCCESS error code is returned instead of the Portal landing page:

Environment

Azure SAML IDP server used to SSO into Cloud SWG Portal.

Cause

Incorrect SAML attributes sent with assertion generated by Azure.

Resolution

Make sure that the Azure IDP server sends the "Email" attribute name (case sensitive!) with the matching Cloud SWG administrator email address as the attribute value.

Within Azure, you need to go to the SAML Application setup for the Cloud SWG Portal, select the "Single Sign On" panel and Edit the "Attribute and Names" claims to include the Email attribute name, with the users email address as the value per the screenshot below:

Additional Information

By default, Azure sends a number of claims/attributes with assertions and most of these are unnecessary to include with an assertion. What Cloud SWG expects is the following attributes:

  • Email with the user email address as the value
  • FirstName with the users first name as value
  • LastName with the users surname as value.

Each attribute is case sensitive; technically the login will work fine without the FirstName and LastName attributes too, but these allow the Cloud SWG Portal to render the users name in the top right hand corner when included.