PAM is configured for SAML authentication and is successful on appliances in the primary site, but the following error occurs almost immediately after clicking "Single Sign-On" on secondary appliances.

PAM-CMN-0926: Single sign-on authentication failed. Please contact your system administrator.

When looking at the SAML configuration, it was determined that the CertificateKeyPair was pointed to an older server certificate that did not exist on the secondary PAM appliances. The certificate was still present on appliances in the primary site, allowing the SSO logins to be successful there. This scenario could happen either if the secondary appliances were newer and recently added to the cluster or if the older certificate was deleted as part of routine clean-up.

On the SAML configuration page in PAM, update the Certificate Key Pair to the current server certificate. This change will be propagated to all appliances in the cluster without restarting any services or rebooting appliances.

As a temporary workaround, the non-existent certificate could be downloaded from a primary appliance and uploaded to the secondary appliances as a temporary measure until a change order can be made to update the Certificate Key Pair to the current server certificate.