PAM-CMN-0982 When Configuring Entra ID (Azure AD) as the IdP
search cancel

PAM-CMN-0982 When Configuring Entra ID (Azure AD) as the IdP

book

Article ID: 371208

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Microsoft Entra ID is being configured as the IdP in PAM, but the following error occurs when using the Test button on the SAML configuration page to test the login.

SAML SSO TEST FAILED!
Error Message:
PAM-CMN-0982: SAML SSO Authentication Failure: Status Code: N/A. Status Message: This SP [44#####98] is not a valid audience for the assertion. Candidates were: [spn:44#####98]. SubStatus Code: N/A.

SAML AuthnRequest Message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#####" Version="2.0" IssueInstant="2024-07-01T20:44:35Z" Destination="https://login.microsoftonline.com/#####/saml2" ForceAuthn="true" AssertionConsumerServiceURL="https://PAMURL/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
  <saml:Issuer>44#####98</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Environment

Privileged Access Manager, all versions

Microsoft Entra ID (formerly Azure Active Directory)

Cause

The Entity ID under SP Configuration was not properly set in PAM. The Azure AD as an Identity Provider (IdP) section of the documentation states that the Entity ID should match the Application ID URI, but the Entity ID was set to the Application ID itself in this instance.

Resolution

The Entity ID was updated to match the Application ID URI in Azure.

 

When the logon test was performed again, it was now successful.

SAML SSO TEST RESPONSE

SAML NameID: [email protected]
SAML Xsuite User Name Attribute: [email protected]

Identity contained in the SAML assertion will be mapped to Xsuite user: [email protected].

SAML AuthnRequest Message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#####d" Version="2.0" IssueInstant="2024-07-01T22:33:18Z" Destination="https://login.microsoftonline.com/#####/saml2" ForceAuthn="true" AssertionConsumerServiceURL="https://PAMURL/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
  <saml:Issuer>api://44#####98</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
  <samlp:RequestedAuthnContext Comparison="exact">
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Additional Information

To get the Application ID URI from Azure, go to Entra ID > App Registrations and click on the desired app. The Application ID URI will be listed on the Overview page.

Powered by Wolken Software