-
Titolo
Log on fails for External Federation provider on VMware or Hyper-V platforms after a v6.0 upgrade or backup restore. -
Descrizione
This KB article applies to Hyper-V and VMware platforms only (not hardware appliances or cloud VMs).External Federation log ons will fail with v6.0.- If you configured an External Federation Identity and Authentication Provider, a login attempt using the External Federation provider will fail after upgrading to SPP version 6.0 or greater.
- After upgrading to v6.0, or after restoring a backup taken prior to 6.0 while running 6.0, the log on to an existing External Federation provider will fail.
When you log into Microsoft's Azure Active Directory (AAD) with your username and password, you may get an error message like this one: Application with identifier was not found....
-
Causa
The app registration’s Application ID URI value is incorrect and must be reset. -
Risoluzione
To fix the log on problem, you must edit the app registration’s Application ID URI and enter Safeguard for Privileged Password’s new entityID from the SAML metadata.
1. Log into Safeguard for Privileged Passwords. You will be redirected from the Safeguard for Privileged Passwords log in page to the AD FS server.2. Log into Microsoft's Active Directory Federation Services (AD FS). If you see a message like: An error occurred, continue.3. Open a web browser and go to:https:///RSTS/Saml2FedMetadata4. Select and copy the value of the entityID attribute.
5. Go to the Microsoft Azure portal and click the Edit link to update the corresponding app registration’s Application ID URI with the value you copied.
Error condition
If you get an error message like: An error occurred, take the following additional steps.1. Look at the AD FS Admin log in the Windows Event Viewer on the AD FS server, for an entry like:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://f352d4ad93db4be5f27c6355b1c8b7783d59e5bc/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
2. Edit the Relying Party Trust for the corresponding application in the AD FS Management program.
a. Open a web browser and go to:
https:///RSTS/Saml2FedMetadata
b. Select and copy the value of the entityID attribute:
c. Edit the properties of the corresponding Relying Party Trust in the AD FS Management program and go to the Identifiers tab.d. On the Identifiers tab, add the new identifier value and then remove the old one. (Refer to the illustration below.) Paste the new value, click Add, then remove the old value.
3. Update the signing certificate that AD FS has a copy of for this application.
a. Open you web browser and go to:
https:///RSTS/SigningCertificate?download=true
b. Note the certificate file that is automatically downloaded. Or, follow the prompts to download the file.
4. Return to the AD FS Management program.
a. From the application’s properties., go to the Signature tab.
b. Add the new certificate.
c. Delete the old certificate.
For more general information, see the section, How do I create a relying party trust for the STS in the Safeguard for Privileged Passwords Administration Guide. The topic includes links to other Knowledge Base articles on configuring Relying Party Trusts for Microsoft's AD FS and Microsoft's Azure AD.