Hi Team,
We are trying to configure SSO into ISC using Azure AD. Azure AD is our identity provider and ISC is our service provider.
All the configurations are made as per the below document provided by Sailpoint.
However we receive error when we try to login using the SSO.
Error: FailedSAMLAssertionError
Attaching the error for reference.
Kindly help us in sorting this out.
Hi @SayanthBR Welcome to the community! You need to make sure that ISC knows how to correlate the Entra NameID in the SAML Token (default UPN) to an Identity Attribute in ISC (probably Email). If you have some funky UPN/Email stuff going on, check the Attribute mapping for NameID on the Entra side. Check the Identity Mapping Attribute in the ISC SAML config. For these sort of diagnoses, always good to enable Developer Tools on your browser and get a SAML inspector, so you can see the actual token being passed.
Hi @SayanthBR ,
Have you verified that the user was already invited and registered in the SailPoint tenant? It seems the SSO was successful from the Azure side.
Regards,
Karthi
Hello Karthikeyan,
Thanks for responding.
Yes the user is registered in ISC tenant.
Hello Jeremy,
Thanks for responding.
Yes, we have made the mappings correctly from Azure and ISC side.
Please find the attached screenshot of SAML configurations and let me know if any changes are needed.
Hi @SayanthBR - are the UPNs in Entra the same as Emails in ISC?
Hi Jeremy,
The values are different in Azure UPN and ISC emails.
I’m going to assume the email values are the same between Entra and ISC and that you have a default Entra configuration where NameID=UPN.
You need to update your Entra Enterprise Application SSO SAML configuration for ISC to map email to nameID, ie NameID=Email.
See Customize SAML token claims - Microsoft identity platform | Microsoft Learn
Hi @SayanthBR Did this help?
Jeremy is correct. I had a similar issue.
Creating a SAML transform rule to remove our domain suffix to match our uid or Account Name was required so that a default match is found.
Hello Jeremy,
We have tried this way but unfortunately no luck.
Trying to understand more about this from Azure side.
I will keep updates here.
Hello Paul,
Can you please provide insights as to where exactly to configure a rule.
I do not see anything for configuring such rule in service provider settings.
Thanks in advance.
Hi Sayanth. Have you used Chrome Dev tools to examine the SAML? Maybe paste the redacted SAML here?
Hi @SayanthBR,
Sure.
Navigate to Entra ID (formerly Azure AD)
Select Applications > Enterprise applications
Under the Search by application name or object id search for your application.
This would be the friendly name of the enterprise app you configured for SailPoint.
Select Single sign-on.
Under section 2, Attributes & Claims, select Edit.
Under Required claim, Select Unique User Identified (Name ID)
Ensure the Name identified format matches what is configured on the SailPoint tenant under the Service Provider section. In our example, we use unspecified.
By default, the Source attribute section is set to user.userprincipalname. This is where you will want to swap to user.mail etc.
Click Save.
Transforms
If needed, this is where you can create the transformations.
Select the radio Transformation.
Select the drop-down for the type of transformation.
Select the desired type.
If you need more than one, you can click Add for additional.
In my example, I have ExtractMailPrefix(), which removes the domain, leaving everything before the “@,” and then I apply ToLower(), which applies lowercase formatting.
Transform Example:
Additional Resources:
Microsoft Documentation
Customize SAML token claims - Microsoft identity platform | Microsoft Learn
SAML TRACER
@j_place makes a great suggestion. If you have not already done so, installing a SAML Tracer add-on in your web browser is a great way to examine what is being sent and received between the authentication.
SAML-tracer - Chrome Web Store
Regards,
Paul
Hi Jeremy and Paul,
We are able to establish SSO now but explicitly creating the UPN value in ISC to match the value in Azure.
We are checking if we can do in similar way using email value.
I will keep you posted.
Hi @SayanthBR You shouldn’t need to do this if you have explicitly mapped the Unique User Identifier (Name ID) to Email Address in the Azure Enterprise App Single Sign On configuration and use the Email Address as the Identity Mapping Attribute in the ISC SAML config. But again, as both Paul and I have stressed, you really need to examine the SAML token using browser dev tools to do any meaningful diagnosis.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
