Hello All,
I was trying to setup SSO for sandbox environment. However, after setup is complete I am getting SAML assertion failed error. I do see email as a claim in SAML response and seeing success SSO logs in Entra. I don’t see any failed logs in IDN, am I missing anything here?
Entra SSO setup:
IDP setup in IDN:
Thanks,
Shubham
can you try once SAML NameID as unspecified and uncheck exclude request auth
Hi @HussainshaSyed001 ,
I tried it but same error. Anything else I can try?
is this the first time you created?
When you say you see email as a claim, ISC is only looking at the NameID assertion and seeing if it matches the email stored against the identity.
Yes this is a fresh setup.
@j_place
Yes, I see something like below and it matches the email attribute of the identity. What else should I look for?
Hi @Shubhams_009,
I would like you to validate if the “mail” attribute in Entra ID and “email” identity attribute in SailPoint tenant are exactly same, including case. If not, check any other attribute in Entra ID is matching; update the Unique User Identifier in the Enterprise app configured in Entra ID to the identified attribute.
For instance, if UPN in the attribute in Entra ID that is matching with email in SailPoint along with case. Ask your Entra ID Admin to update the Unique User Identifier of the SAML config in Entra ID to user.userprincipalname..
Question, how did you validate you are seeing email in claim? Did you use a SAML tracer? If you haven’t yet I would highly recommend using a SAML tracer like: SAML Chrome Panel - Chrome Web Store
Good luck,
Amar Sheriff
Two things I can think of: entity ID of the IdP doesn’t match what ISC is expecting or the certificate can’t be validated.
Hi @Shubhams_009 Did you get this sorted?
Hello,
From your configurations, I can see that SAML response Name ID tag that you are referring to , to get the Email ID of authenticated user is “Email”.
Can you please check using SAML Tracer in Firefox or SAML plugin in Google Chrome on how Entra ID is passing the Email ID of authenticated user through UnSpecified NameID Tag or EmailID NameID Tag?
I think they are passing it using “UnSpecified NameID Tag”? If its Unspecified NameID Tag, you need to change it accordingly. Refer the below sample screenshot.
Regards,
Rohit Wekhande
Hi @rohit_wekhande With respect, the NameID attribute and format tag has been included in the posts above. Also, it is my understsanding that, even if the email attribute has been included with an unspecified NameID format tag, correlation should still be successful if the value matches the email address stored in ISC. The SAML NameID configuration in ISC is just used in the SAML Request as a polite request for a format, the IdP is not obliged to respect it.
Yes, the correlation should work and the identity attribute mapping should have the value which should match from the Email Address coming from SAML Response.
I might have missed the screenshot of SAML Response coming from Entra ID.
Hi Rohit,
I tried that too but no luck.
HI @j_place,
No. We have ticket open with support to provide any authN failure logs. I will keep you’ll posted.
Thanks,
Thanks!
It seems now authentication and sending EmailID through SAML Response is not an issue.
Seems to be issue with Federation Configs in ISC. Keep us posted.
Regards,
Rohit Wekhande.
Hi all,
So the issue was with incorrect EntityID as @j_place suggested. Thank you all for the responses.
