Common Issues (ADFS and Azure)

This article highlights Common Issues when setting up Single Sign-On using ADFS and Azure. It contains the following sections:

  1. ADFS and Azure
  2. ADFS

1. ADFS and Azure

- Selecting the wrong certificates to upload

  • Azure meta data contains 8 certificates but it is the one of the two encapsulated in the <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> that should be used.
1. ADFS and Azure
  • ADFS contains 3 – Should be the token signing certificate

- Using https:// instead of http:// in the Cezanne configuration for the UID field (System Setup >> Security Settings >> Single Sign-On Configuration)

- Mapping the correct user account from AD – Cezanne (Typically the User Principle Name) People tend to pick email address for this but the UPN can be set to be anything. This can be checked by looking at the AD object attributes

If the user is created in Azure Active Directory the user principle name is typically the user name:

  • SSO was working and isn't now (No internal configuration changes made)

If your Single Sign-On was working, and no internal changes have been made to your configuration (such as a change of directory or domain name), try uploading the alternative certificate from the Azure Federation Metadata page into Cezanne OnDemand.

For more information about uploading certificates, see: Single Sign-On: Using SAML 2.0 to Implement Azure Active Directory Single Sign-On for Cezanne OnDemand.


- Server times need to be in sync to a relatively high precision this can be adjusted if need be by using PowerShell on your ADFS server:

  • Step 1 not required for windows server 2012 and above
  1. Add-PSSnapin Microsoft.Adfs.PowerShell
  2. Get-ADFSRelyingPartyTrust
  3. Set-ADFSRelyingPartyTrust -TargetIdentifier <identifier name> -NotBeforeSkew <New Value>
  • Set-ADFSRelyingPartyTrust -TargetIdentifier -NotBeforeSkew 1 (skews for 1 min)

- If your tenant identifier has changed this will need to be updated in ADFS. e.g.<<Tenant Identifier>>/saml/metadata


ADFS does not automatically update the metadata and this needs to be done manually by right clicking on the ADFS entry and selecting the “Update from Federation Metadata” option. On the following screen click update.

Bad Request - Request Too Long

ADFS is setting a number of large-sized cookies that is causing the overall size of the request to exceed the ADFS server’s max request size limit.

  • The solution is to use the developer tools to clear all the cookies for the ADFS server domain.

Windows 2008/2008R2 Servers

Windows 2008/2008R2 Servers

If you receive the above error message, you will need to apply a hotfix from Microsoft. For more information, see: Microsoft Hotfix.