Common Issues (ADFS and Azure)
This article highlights Common Issues when setting up Single Sign-On using ADFS and Azure. It contains the following sections:
1. ADFS and Azure
- Selecting the wrong certificates to upload
- Azure meta data contains 8 certificates but it is the one of the two encapsulated in the <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> that should be used.
- ADFS contains 3 – Should be the token signing certificate
If the user is created in Azure Active Directory the user principle name is typically the user name:
- SSO was working and isn't now (No internal configuration changes made)
If your Single Sign-On was working, and no internal changes have been made to your configuration (such as a change of directory or domain name), try uploading the alternative certificate from the Azure Federation Metadata page into Cezanne OnDemand.
For more information about uploading certificates, see: Single Sign-On: Using SAML 2.0 to Implement Azure Active Directory Single Sign-On for Cezanne OnDemand.
2. ADFS
- Server times need to be in sync to a relatively high precision this can be adjusted if need be by using PowerShell on your ADFS server:
- Step 1 not required for windows server 2012 and above
- Add-PSSnapin Microsoft.Adfs.PowerShell
- Get-ADFSRelyingPartyTrust
- Set-ADFSRelyingPartyTrust -TargetIdentifier <identifier name> -NotBeforeSkew <New Value>
- Set-ADFSRelyingPartyTrust -TargetIdentifier https://w3.cezanneondemand.com/CezanneOnDemand/ -NotBeforeSkew 1 (skews for 1 min)
- If your tenant identifier has changed this will need to be updated in ADFS. e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/<<Tenant Identifier>>/saml/metadata
Windows 2008/2008R2 Servers
If you receive the above error message, you will need to apply a hotfix from Microsoft. For more information, see: Microsoft Hotfix.