SSO error when authenticating against the external identity provider 401 Unauthorized
Article ID: 293619
Updated On:
Products
Operations Manager
Issue/Introduction
Pre-checks
- SSO Service instance is configured to use an external identity provider of type OpenID Connect (this use case highlights the issue that occurred while using Azure AD as the OIDC Provider)
There was an error when authenticating against the external identity provider 401 Unauthorized
While the error message is not helpful in specifying what went wrong, the 401 Unauthorized error does give us a clue that there's some issue with the configurations of the managed Identity Provider.
You can navigate to those configurations by going to the SSO Operator Dashboard > SSO Plan that you created > Manage Identity Providers > External Identity Provider you configured > Edit Provider.
Note: The link to navigate to Operator dashboard will look something like this: p-identity.<system-domain>
If you have also enabled debug level logging on your UAA instances to see what's being sent on the wire, you will see the following error when the client secret is misconfigured:
[2020-10-15 17:29:19.729] uaa - 15 [https-jsse-nio-8443-exec-8] .... DEBUG --- wire: http-outgoing-0 << "{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace
ID: <id>\r\nCorrelation ID: <correlation-id>\r\nTimestamp: 2020-10-15 17:29:19Z","error_codes":[7000215],"timestamp":"2020-10-15 17:29:19Z","trace_id":"<trace-id>","correlation_id":"correlation-id","error_uri":"https://login.microsoftonline.com/error?code=7000215"}"
[2020-10-15 17:29:19.733] uaa - 15 [https-jsse-nio-8443-exec-8] .... DEBUG --- headers: http-outgoing-0 << HTTP/1.1 401 Unauthorized
Environment
OS: Linux
Resolution
While reviewing the configurations of the Managed Identity Provider for an SSO plan, you will see that the misconfigured client secret/application secret/Relying Party OAuth Client Secret caused a 401 Unauthorized error.
This should be the first thing you double-check to make sure that the secret pasted in the Operator Dashboard is exactly the same as the application secret registered on the external identity provider. If the secret needs to be updated, make sure that you save the new secret in the Operator Dashboard and rebind your application with the SSO service instance.
If you have validated that all the configurations in the operator dashboard are correct and still you see the 401 Unauthorized error, open a ticket with the Support team for help reviewing the UAA logs to determine the cause of 401 Unauthorized error.
This should be the first thing you double-check to make sure that the secret pasted in the Operator Dashboard is exactly the same as the application secret registered on the external identity provider. If the secret needs to be updated, make sure that you save the new secret in the Operator Dashboard and rebind your application with the SSO service instance.
If you have validated that all the configurations in the operator dashboard are correct and still you see the 401 Unauthorized error, open a ticket with the Support team for help reviewing the UAA logs to determine the cause of 401 Unauthorized error.
Feedback
Yes
No
Powered by
