Azure AD - Misconfiguration between IDP and SP- URLs, Signing Options, Certificates, Parameters/Formatting

Possible Errors

• SAML configuration error: SAML assertion is not signed, please make sure the SAML assertions are signed in your IDP
• SAML configuration error: invalid issuer attribute in the Saml response. expected issuer value: 
• We're Sorry, but something went wrong. 
• Error in Processing SAML Response
• {{UserEmail}} cannot be logged in as this user is not part of this organization
  
  
  

Resolution Path :

• Click here to understand where the SSO settings are available on the Freshworks side

SAML configuration error: SAML assertion is not signed, please make sure the SAML assertions are signed in your IDP

1. Signing options in Freshworks SAML Azure(Using SAML) configuration should match signing options selected in IDP.
2. Login to Freshworks Organisation
3. Navigate to Security Page and proceed towards Configured SAML App
4. Check Signing options in configured SAML app
   
5. Navigate to Azure AD →Enterprise Applications - >Freshworks SAML app →Single Sign On →SAML Signing Certificate - >Signing options: Sign SAML Response
   

-------------------------------------------------------------------------------------------------------------------

SAML configuration error: invalid issuer attribute in the Saml response. expected issuer value: 

1. This error is usually seen when the Azure AD Identifier configured in Freshworks Security →Azure(Using SAML) is not matching with the Entity ID sent by the IDP in the SAML response. 
2. Hence provide a valid Issuer URL(Entity Id) copied from the Freshworks SAML app from Azure(as shown below) and paste it into Freshworks Security →Azure(Using SAML) app's Issuer URL field.
   

--------------------------------------------------------------------------------------------------------------------

We're Sorry, but something went wrong. 

1. This error is seen when Encrypted Assertions are enabled on the SP side and Public key details are not provided on the IDP side.
2. Therefore, make sure the public key field is not empty on the IDP side when Encrypted assertions are configured.

   

---------------------------------------------------------------------------------------------------------------------

Error in Processing SAML Response

1. Verify Encrypted assertions enabled for Freshworks SSO Azure (using SAML).
   Option #1: Disable encrypted assertions in Freshworks SSO Azure (using SAML) if encrypted assertions are not enabled in Azure AD.
   Option #2: Follow the below steps to configure the public key in IDP and enable encrypted in IDP
2.  Download metadata from Freshworks SSO Azure (using SAML).

3.  tag value is the public key.

4. Azure supports a public key with a header and footer. Based on the  IDP, you would either need to copy the public key value or upload the created file. You can create a new file with extension .pem or .cer with header and footer.
   Example:

   -----BEGIN CERTIFICATE----- MIIC4DCCAcigAwIBAgIIA2mtqKkFQzcwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlc2VjdXJpdHlyZXZhbXAudGVzdDEuZnJlc2h3b3Jrc2FwaS5pbzAeFw0yMDEx MDkxNDM1NTlaFw0zMDExMDkxNDM1NTlaMDAxLjAsBgNVBAMMJXNlY3VyaXR5cmV2 YW1wLnRlc3QxLmZyZXNod29ya3NhcGkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDb+UnQu6x5TDX5rF5FH6QM5dIXD8x1zqKDxlWT7uHPYjmp6iQD HT7KZssIrd4NwcgpPoszYtkSedu0TvqXOEAbUbYxSdKgL5RwuHAQk1MGYDqw7oM1 CKNOpu2SHdazTEeQrLXT9yL66xBmrhcPBXqNngS9sd+uID2DETfipOJgM48gUESA GXjNt8sEUHfPq4gnTE77rbRSVWIq+s4cu2nldvYm8KRvnfeWvAMqfTXB72eBe4d8 qPS9dLLvmez7oMaojfarg8WZSCDKIEYZpmAcjwGdidUTvmYNbeKJTI5168DD7eEy gY5pHVCLYQ/K03XNJeVO4cO1U6fp6KHYOkxfAgMBAAEwDQYJKoZIhvcNAQELBQAD ggEBAFTVqQGirM6UTbwfWF27mn4N+J32xgFWL19PyMWaHpInq21Q2r/1Dlo95oqu U65d3y3HtzzSternVVYIBYJRtX/3gTjpsNqIl3udpeeOZoM2OBO8kQItrgcf5MzD mXpva4kUnpEKXop/8BOmg/DbzVYV6o0LT5wYS657WL6NrHGBF/FcQTh4Rl6oAqyy 02Mi33TRFyXJpDCTxEXNmQBHT4QdH1W4cQjJRLosToNe7KC8qgUzdumOKUwZTvu+ oI7Sl4fdz5sMhNr5+LeNh8kojj0SIKAb7bBjOcUFdLs1hlZfrS0NG4j7RB1X1I+T 1shX5k3Ht7LAI/TgZ1crtBppdqM= -----END CERTIFICATE-----

5. Then log in to your Azure AD admin console →Enterprise Applications -->Freshworks SAML app →Token Encryption →Upload .pem/.cer file →Activate Token encryption.

----------------------------------------------------------------------------------------------------------------------
{{UserEmail}} cannot be logged in as this user is not part of this organization

1. As the error says, this user is not part of the Organization. Therefore, verify whether this user email is already present within the same organization or not.

2. If the user is logging in with valid credentials from Azure and facing a login issue, then

3. Verify user presence in Organisation

4. In Azure, check User Attributes & Claims.

5. A unique User identifier should be set to user.mail.

6. Also verify the user profile and what data was sent as part of user.mail, (through SAML tracer) which should match with the user email in FreshId.