Home

SAML issuer/assertion mismatch using AAD and ADFS

%3CLINGO-SUB%20id%3D%22lingo-sub-843566%22%20slang%3D%22en-US%22%3ESAML%20issuer%2Fassertion%20mismatch%20using%20AAD%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-843566%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20is%20the%20right%20forum%20for%20this%20type%20of%20question.%20Otherwise%20I%20would%20appreciate%2C%20if%20someone%20could%20point%20me%20in%20the%20right%20direction%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20in%20the%20process%20of%20enabling%20MFA%20for%20several%20applications%20using%20Azure%20AD%20MFA%20with%20Conditional%20Access.%20For%20one%20application%20(namely%20Salesforce)%20the%20%22old%22%20SSO%20config%20was%20pointed%20towards%20the%20ADFS%20as%20issuer%20and%20we%20provided%20a%20%22new%22%20SAML%20config%20which%20uses%20the%20AAD%20as%20issuer.%20All%20Salesforce%20users%20are%20on-prem%20accounts%20and%20therefore%2C%20the%20Azure%20AD%20redirects%20those%20users%20to%20the%20ADFS%2C%20where%20they%20authenticate%20and%20are%20redirected%20back%20to%20the%20Azure%20AD%20where%20MFA%20may%20or%20may%20not%20be%20required%20depending%20on%20the%20CA%20rule.%20Everything%20works%20fine%20to%20this%20point.%20However%2C%20for%20a%20few%20(not%20all)%20users%20in%20the%20testing%20group%2C%20Salesforce%20throws%20a%20SAML%20validation%20error%20(issuer%20from%20assertion%20and%20issuer%20defined%20in%20config%20do%20not%20match)%3A%3CBR%20%2F%3EThe%20issuer%20in%20the%20assertion%20is%20%5BADFS%20URL%5D%3C%2FP%3E%3CP%3EThe%20issuer%20in%20the%20configuration%20is%20%5BAAD%20URL%20(%3CA%20href%3D%22https%3A%2F%2Fsts.windows.net%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsts.windows.net%3C%2FA%3E...)%3C%2FP%3E%3CP%3ESo%20at%20some%20point%20the%20users%20which%20use%20the%20%22new%22%20config%20are%20being%20redirected%20to%20the%20old%20config%20and%20the%20issuer%20in%20the%20SAML%20assertion%20then%20is%20the%20ADFS%20(the%20old%20config)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20questions%20at%20this%20point%20are%20as%20follows%3A%3C%2FP%3E%3CP%3E-%20What%20could%20be%20the%20possible%20reason%20for%20the%20apparent%20redirection%3F%3C%2FP%3E%3CP%3E-%20Where%20do%20I%20start%20troubleshooting%20this%20issue%3F%3C%2FP%3E%3CP%3E-%20Any%20idea%20as%20to%20why%20only%20a%20few%20test-users%20are%20afflicted%3F%3C%2FP%3E%3CP%3E-%20Can%20my%20explanation%20of%20the%20issue%20even%20be%20followed%3F%20Is%20any%20information%20missing%20for%20a%20useful%20response%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-843566%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esaml%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
ale_phat
Occasional Visitor

Hi all,

 

I hope this is the right forum for this type of question. Otherwise I would appreciate, if someone could point me in the right direction :)

 

We are in the process of enabling MFA for several applications using Azure AD MFA with Conditional Access. For one application (namely Salesforce) the "old" SSO config was pointed towards the ADFS as issuer and we provided a "new" SAML config which uses the AAD as issuer. All Salesforce users are on-prem accounts and therefore, the Azure AD redirects those users to the ADFS, where they authenticate and are redirected back to the Azure AD where MFA may or may not be required depending on the CA rule. Everything works fine to this point. However, for a few (not all) users in the testing group, Salesforce throws a SAML validation error (issuer from assertion and issuer defined in config do not match):
The issuer in the assertion is [ADFS URL]

The issuer in the configuration is [AAD URL (https://sts.windows.net...)

So at some point the users which use the "new" config are being redirected to the old config and the issuer in the SAML assertion then is the ADFS (the old config)

 

My questions at this point are as follows:

- What could be the possible reason for the apparent redirection?

- Where do I start troubleshooting this issue?

- Any idea as to why only a few test-users are afflicted?

- Can my explanation of the issue even be followed? Is any information missing for a useful response?

 

Thanks in advance!

Best regards,

Alex

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies