You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/manage-apps/application-sign-in-problem-application-error.md
+29-89Lines changed: 29 additions & 89 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,17 +21,13 @@ In this scenario, Azure Active Directory (Azure AD) signs the user in. But the a
21
21
22
22
There are several possible reasons why the app didn't accept the response from Azure AD. If there's an error message or code displayed, use the following resources to diagnose the error:
23
23
24
-
*[Azure AD Authentication and authorization error codes](../develop/reference-error-codes.md)
If the error message doesn't clearly identify what's missing from the response, try the following:
30
28
31
-
- If the app is the Azure AD gallery, verify that you followed the steps in [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
32
-
29
+
- If the app is in the Azure AD gallery, verify that you followed the steps in [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
33
30
- Use a tool like [Fiddler](https://www.telerik.com/fiddler) to capture the SAML request, response, and token.
34
-
35
31
- Send the SAML response to the app vendor and ask them what's missing.
@@ -40,32 +36,19 @@ If the error message doesn't clearly identify what's missing from the response,
40
36
41
37
To add an attribute in the Azure AD configuration that will be sent in the Azure AD response, follow these steps:
42
38
43
-
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a global administrator or co-admin.
44
-
45
-
2. At the top of the navigation pane on the left side, select **All services** to open the Azure AD extension.
46
-
47
-
3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**.
48
-
49
-
4. Select **Enterprise Applications** in the Azure AD navigation pane.
50
-
51
-
5. Select **All Applications** to view a list of your apps.
52
-
53
-
> [!NOTE]
54
-
> If you don't see the app that you want, use the **Filter** control at the top of the **All Applications List**. Set the **Show** option to "All Applications."
55
-
56
-
6. Select the application that you want to configure for single sign-on.
57
-
58
-
7. After the app loads, select **Single sign-on** in the navigation pane.
59
-
60
-
8. In the **User Attributes** section, select **View and edit all other user attributes**. Here you can change which attributes to send to the app in the SAML token when users sign in.
39
+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
1. Enter the name of the existing application in the search box, and then select the application that you want to configure for single sign-on.
42
+
1. After the app loads, select **Single sign-on** in the navigation pane.
43
+
1. In the **User Attributes** section, select **View and edit all other user attributes**. Here you can change which attributes to send to the app in the SAML token when users sign in.
61
44
62
45
To add an attribute:
63
46
64
47
1. Select **Add attribute**. Enter the **Name**, and select the **Value** from the drop-down list.
65
48
66
49
1. Select **Save**. You'll see the new attribute in the table.
67
50
68
-
9. Save the configuration.
51
+
1. Save the configuration.
69
52
70
53
The next time that the user signs in to the app, Azure AD will send the new attribute in the SAML response.
71
54
@@ -79,24 +62,11 @@ If you're using [Azure AD automated user provisioning](../app-provisioning/user-
79
62
80
63
To change the User Identifier value, follow these steps:
81
64
82
-
1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a global administrator or co-admin.
83
-
84
-
2. Select **All services** at the top of the navigation pane on the left side to open the Azure AD extension.
85
-
86
-
3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**.
87
-
88
-
4. Select **Enterprise Applications** in the Azure AD navigation pane.
89
-
90
-
5. Select **All Applications** to view a list of your apps.
91
-
92
-
> [!NOTE]
93
-
> If you don't see the app that you want, use the **Filter** control at the top of the **All Applications List**. Set the **Show** option to "All Applications."
94
-
95
-
6. Select the app that you want to configure for SSO.
96
-
97
-
7. After the app loads, select **Single sign-on** in the navigation pane.
98
-
99
-
8. Under **User attributes**, select the unique identifier for the user from the **User Identifier** drop-down list.
65
+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
1. Select the app that you want to configure for SSO.
68
+
1. After the app loads, select **Single sign-on** in the navigation pane.
69
+
1. Under **User attributes**, select the unique identifier for the user from the **User Identifier** drop-down list.
100
70
101
71
### Change the NameID format
102
72
@@ -108,26 +78,12 @@ Azure AD selects the format for the **NameID** attribute (User Identifier) based
108
78
109
79
To change which parts of the SAML token are digitally signed by Azure AD, follow these steps:
110
80
111
-
1. Sign in to the [Azure portal](https://portal.azure.com/) and sign in as a global administrator or co-admin.
112
-
113
-
2. Select **All services** at the top of the navigation pane on the left side to open the Azure AD extension.
114
-
115
-
3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**.
116
-
117
-
4. Select **Enterprise Applications** in the Azure AD navigation pane.
118
-
119
-
5. Select **All Applications** to view a list of your apps.
120
-
121
-
> [!NOTE]
122
-
> If you don't see the application that you want, use the **Filter** control at the top of the **All Applications List**. Set the **Show** option to "All Applications."
123
-
124
-
6. Select the application that you want to configure for single sign-on.
125
-
126
-
7. After the application loads, select **Single sign-on** in the navigation pane.
9. Select the **Signing Option** that the app expects from among these options:
81
+
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
1. Select the **Signing Option** that the app expects from among these options:
131
87
132
88
-**Sign SAML response**
133
89
-**Sign SAML response and assertion**
@@ -141,33 +97,17 @@ By default, Azure AD signs the SAML token by using the most-secure algorithm. We
141
97
142
98
To change the signing algorithm, follow these steps:
143
99
144
-
1. Sign in to the [Azure portal](https://portal.azure.com/) and sign in as a global administrator or co-admin.
145
-
146
-
2. Select **All services** at the top of the navigation pane on the left side to open the Azure AD extension.
147
-
148
-
3. Type **Azure Active Directory** in the filter search box, and then select **Azure Active Directory**.
149
-
150
-
4. Select **Enterprise Applications** in the Azure AD navigation pane.
151
-
152
-
5. Select **All Applications** to view a list of your applications.
153
-
154
-
> [!NOTE]
155
-
> If you don't see the application that you want, use the **Filter** control at the top of the **All Applications List**. Set the **Show** option to "All Applications."
156
-
157
-
6. Select the app that you want to configure for single sign-on.
158
-
159
-
7. After the app loads, select **Single sign-on** from the navigation pane on the left side of the app.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
0 commit comments