Federated login does not redirect back to the ClientNet portal post authentication with IDP
search cancel

Federated login does not redirect back to the ClientNet portal post authentication with IDP

book

Article ID: 408999

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Some users are unable to log in to ClientNet via federated login. While most users can authenticate successfully, a subset of users encounter issues where the login process does not redirect back to the ClientNet portal after authentication with the Identity Provider (IDP).

Observed Behaviour:

After successful authentication at the IDP (e.g., Office 365), users are redirected to:
https://accounts.security.com/oidc/redirect?error=INVALID_REQUEST&error_description

This prevents them from completing login to the ClientNet portal.

 

Steps to Reproduce

  1. User clicks Login with Symantec Account → https://identity.symanteccloud.com/symacct/login
  2. Redirected to → https://accounts.security.com/oidc/redirect
  3. User enters email/username → https://access.broadcom.com/default/ui/v1/signin/
  4. Redirected to IDP (e.g., Office 365) → https://login.microsoftonline.com/.../saml2
  5. User authenticates successfully at IDP.
  6. Redirected to ACS endpoint → https://access.broadcom.com/default/saml/v1/sp/acs
  7. Instead of logging in, final redirect results in error:
    https://accounts.security.com/oidc/redirect?error=INVALID_REQUEST&error_description

Environment

Symantec Email Security.Cloud 

Federated Login (SAML via IDP such as Office 365)

Cause

Analysis of HAR files shows that affected users’ POST requests to https://accounts.security.com include an invalid request error.

These failing requests do not reach the Symantec Email Security.Cloud (ClientNet) infrastructure.

Backend review revealed that the affected accounts were deactivated.

Resolution

  1. Request the Technical support team to check the impacted user accounts' status on the backend.

  2. Once accounts are reactivated, users can log in successfully with federated login.

  3. If the issue persists, share the .har file for further analysis.

Additional Information

Working vs. non-working authentication traces (SAML responses) confirm identical flows until the accounts.security.com request stage.

The difference arises only for deactivated accounts, which trigger the INVALID_REQUEST error.

If further assistance is required, please contact your mail administrator or raise a ticket with Broadcom Technical Support for further assistance.

Powered by Wolken Software