Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,446 questions
Need help configuring Enterprise application to authenticates with Entra ID using SAML2.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 98%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Claudio Sao Paulo
20
Reputation points
Hello,
I am trying to setup an Enterprise application to authenticates with Entra ID using SAML2.
This application supports creating a "Single SSO user", which is working properly and it also supports creating a "Group", which is not working for me.
Here is how the application works according to the guide:
After users of type Group – SSO with User Directory authenticate with the identity provider, the application queries the organization’s Active Directory domain server to verify the user’s group membership. For the execution of this query, the application requires that the identity provider supply either one or both of the following user information, as attributes in its SAML response to the application (the service provider):
sAMAccountName in the format:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
userPrincipalName in the format:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
My environment:
Windows 2019 Active Directory not routable with my local domain (example: myemail.local) running Cloud Sync with "Microsoft Entra Agent
Entra ID configured with mydomain.onmicrosoft.com
I have configured the Cloud Sync "AD to Microssoft Entra ID" and "Microssoft Entra ID to AD" and the status shows Healthy and angent enabled.
I can see my local groups were populated at Entra ID.
In my "Set up single sign on" attributes & claims I have the following:
Troubleshooting:
As mentioned above, it works properly if using "single SSO user".
To validate if it could be something related to my AD or group, I have configured to authenticate as group without Entra ID (authenticating at AD) and it works fine.
I can see that the user coming from Entra ID match the local user (as expected)
Issue:
When using "Group – SSO with User Directory", it authenticates successfully at Entra ID, but my application shows that my user do not have permission.
The application Logs shows:
2024-09-09 13:49:22,996 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>
2024-09-09 13:49:23,019 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>
2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-09-09 13:49:24,235 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-8-g5yOMMZJZ1IZOgTFiysf-LPxyfs-device] for service [https://unknown005056be2e56.attlocal.net/vendorapp-client/login/fsum?target=%2F%23%2Fweb-em%2Fdashboards] and principal [email@myemail.local]>
SAML messages from chrome extension:
<samlp:Response
ID="_eb69f416-9c29-4c03-9559-66fc35890c15"
Version="2.0"
IssueInstant="2024-09-09T19:21:24.052Z"
Destination="https://unknown005056be2e56.attlocal.net/fsum/login?
client_name=SAML2Client"
InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/
</Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion
ID="_8015bb1a-38c0-4050-938c-18c59d3ed500"
IssueInstant="2024-09-09T19:21:24.048Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference
URI="#_8015bb1a-38c0-4050-938c-18c59d3ed500">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>Ir0dAcFcqi+V9M3Xy5dVv868mqewfwg2wPaWPq+
Bo5w=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>vpBYF4MDqrbwgHnpypUrq6u6mHY+SHsNuNvEaE8wsEsWgiFWSvSpditExP5ufgYmNYFo9wd8KQ3kGfWqtczS+NVMnE0LXDS8VIzauOWbUsaAv9y4b/HnP31tMVzYonPBxtbwQyZNOILvAxQDBMbIFLTtJO4HDcJ+MIkeNTz3eCSmu+/uoP2IJPP30snxnrYDDmNsQvf2U5epaQBOY00HOqnUv514Kf2jvQHuRQnMYHDJ4Qph5q95Lr5c9XGTTlTMXNukAV55xKtcktmUIEcAWEOEzjSsa3Y8BID5Wr+kGvRJ/LTPEF3gMFk3DBzrK2kxCIAfewqB0PQKlqMt6P/
afw==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC8DCCAdigAwIBAgIQf4Hq5EPcQLpI920Wf5J5FDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDA5MDgxNzA0NTNaFw0yNzA5MDgxNzA0NTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5O5mGey6xkC3E4ym3VOo2A4oCUBRVf58D4QfSgfyUpxjuvPHuJ6kH2RBCIumkBUgAMKTgj+LTS1pdDbEuaP3CBL3y6t+YbgtWFlaaAUp4od3ps1Vb1/gi4/Fnwf+NzuJdsiZhsrpU5jRavHLKm2rD1ayhvL8DwVpE0X2bfeSFGt3lEFIKskli5HhblxQz+RrRbpX6ap4pXi6Aou8UOWnqhFqDeV1xAQnnH58w5VDJOBiQZirTzPVY95jSyUFslK3fGM5Sq3rrXZZ+K5cwpEBWjveJoQT+Y+BELpzcpyUUUH6s9DGOkERERITcZyOBw6rX1ZQ8isBhr8JKb3uoqpwYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBHYfKU2SyyZsNaExzxAfjZcNM+tTjiwPyNUPq/tXRhKL0FsBKWz9X4u5rWtloZtqa0cDluJpHDjII4plv/QBgn5NA9VpfXNPa561uvigye3kaV6CFONo9UmlxCLn1A+tRSK0jftcVO6cBZP8yHffcH8V+cmbNghfy3ytW3XdDIV9vDtXSVXnSVxPTpyUZ0nqxPexlQu3spdWd0YnIJFk/oqOXtA/8klIbHCrPXXnXCmm4dsA0Tce95IahzWB4jqMC/q5TDKJDFY2h3xvy0TijeP3yLxLkmaTIO3CuH5kaFvjUiJvghjmI9VBS8LeNMYoogxnd+p5jgnR3ioLX3yKDK</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email@myemail.local
</NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData
InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw"
NotOnOrAfter="2024-09-09T20:21:23.856Z"
Recipient="https://unknown005056be2e56.attlocal.net/fsum/login?
client_name=SAML2Client"/>
</SubjectConfirmation>
</Subject>
<Conditions
NotBefore="2024-09-09T19:16:23.856Z"
NotOnOrAfter="2024-09-09T20:21:23.856Z">
<AudienceRestriction>
<Audience>https://unknown005056be2e56.attlocal.net</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>b5ec508d-5644-4490-995f-5245a80d246d</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>8f03a0d1-1630-44b5-992a-c6e5f83468a0</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>MyName M LastName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>S-1-5-21-519022008-3246580128-554511010-1103</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>MyName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>LastName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>MyName</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement
AuthnInstant="2024-09-09T19:21:20.455Z"
SessionIndex="_8015bb1a-38c0-4050-938c-18c59d3ed500">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 5,345 Reputation points Microsoft Vendor2024-09-17T10:21:32.04+00:00 Hello @Claudio Sao Paulo,
Thank you for posting your query on Microsoft Q&A.
Based on your description, it seems that you have a SAML application configured in Entra ID, and the authentication process is working fine. However, after authentication, your application’s home page is displaying an error stating that "the user does not have permission." From the SAML response you shared, the authentication appears to be successful.
I would like to investigate this issue further with you offline to better understand the scenario and determine why this behavior is occurring. Please send me an email at 'AzCommunity@microsoft.com' with the subject: "Attn: Pothurajur" and include the link to this thread/post in the email body.
We can then connect offline to discuss the issue in more detail.
Thanks,
Raja Pothuraju. -
Raja Pothuraju 5,345 Reputation points Microsoft Vendor
2024-09-18T23:45:00.84+00:00 Hello @Claudio Sao Paulo,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer