You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/debug-saml-sso-issues.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,13 +9,13 @@ ms.service: active-directory
9
9
ms.subservice: app-mgmt
10
10
ms.topic: troubleshooting
11
11
ms.workload: identity
12
-
ms.date: 05/27/2022
12
+
ms.date: 06/15/2023
13
13
ms.custom: enterprise-apps
14
14
---
15
15
16
16
# Debug SAML-based single sign-on to applications
17
17
18
-
Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
18
+
In this article, you learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
19
19
20
20
## Before you begin
21
21
@@ -33,10 +33,10 @@ To download and install the My Apps Secure Sign-in Extension, use one of the fol
33
33
To test SAML-based single sign-on between Azure AD and a target application:
34
34
35
35
1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
36
-
1. In the left blade, select **Azure Active Directory**, and then select **Enterprise applications**.
37
-
1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left select **Single sign-on**.
36
+
1. In the left navigation pane, select **Azure Active Directory**, and then select **Enterprise applications**.
37
+
1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left, select **Single sign-on**.
38
38
1. To open the SAML-based single sign-on testing experience, go to **Test single sign-on** (step 5). If the **Test** button is greyed out, you need to fill out and save the required attributes first in the **Basic SAML Configuration** section.
39
-
1. In the **Test single sign-on**blade, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt will ask you to authenticate.
39
+
1. In the **Test single sign-on**page, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt asks you to authenticate.
40
40
41
41
42
42
@@ -54,10 +54,10 @@ To debug this error, you need the error message and the SAML request. The My App
54
54
55
55
### To resolve the sign-in error with the My Apps Secure Sign-in Extension installed
56
56
57
-
1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on**blade.
58
-
1. On the **Test single sign-on**blade, select **Download the SAML request**.
57
+
1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on**page.
58
+
1. On the **Test single sign-on**page, select **Download the SAML request**.
59
59
1. You should see specific resolution guidance based on the error and the values in the SAML request.
60
-
1. You'll see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
60
+
1. You see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
61
61
62
62
If no resolution is provided for the sign-in error, we suggest that you use the feedback textbox to inform us.
63
63
@@ -66,7 +66,7 @@ If no resolution is provided for the sign-in error, we suggest that you use the
66
66
1. Copy the error message at the bottom right corner of the page. The error message includes:
67
67
- A CorrelationID and Timestamp. These values are important when you create a support case with Microsoft because they help the engineers to identify your problem and provide an accurate resolution to your issue.
68
68
- A statement identifying the root cause of the problem.
69
-
1. Go back to Azure AD and find the **Test single sign-on**blade.
69
+
1. Go back to Azure AD and find the **Test single sign-on**page.
70
70
1. In the text box above **Get resolution guidance**, paste the error message.
71
71
1. Select **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
72
72
1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-on Service URL obtained from Azure AD.
@@ -75,13 +75,13 @@ If no resolution is provided for the sign-in error, we suggest that you use the
75
75
76
76
## Resolve a sign-in error on the application page
77
77
78
-
You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
78
+
You might sign in successfully and then see an error on the application's page. This error occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
79
79
80
80
To resolve the error, follow these steps, or watch this [short video about how to use Azure AD to troubleshoot SAML SSO](https://www.youtube.com/watch?v=poQCJK0WPUk&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=8):
81
81
82
82
1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
83
83
1. Retrieve the SAML response.
84
-
- If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on**blade, select **download the SAML response**.
84
+
- If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on**page, select **download the SAML response**.
85
85
- If the extension isn't installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
86
86
1. Notice these elements in the SAML response token:
87
87
- User unique identifier of NameID value and format
@@ -95,4 +95,4 @@ To resolve the error, follow these steps, or watch this [short video about how t
95
95
96
96
## Next steps
97
97
98
-
Now that single sign-on is working to your application, you could [Automate user provisioning and de-provisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).
98
+
Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments