Common issues with Azure AD include:
Case 1: SAML configuration error: SAML assertion is not signed, please make sure the SAML assertions are signed in your IDP/ SAML configuration error: SAML response is not signed. please make the SAML response signed in your IDP.
Signing options in Freshworks SAML Azure(Using SAML) configuration should match signing options selected in IDP.
Login to Freshworks Organisation
Navigate to Security Page and proceed towards Configured SAML App
Check Signing options in configured SAML app
Navigate to Azure AD →Enterprise Applications - >Freshworks SAML app →Single Sign On →SAML Signing Certificate - >Signing options: Sign SAML Response
Case 2: Error while authenticating user: the assertion of the response is not encrypted and the sp requires it
In the case of Freshworks SAML app is selected in Azure IDP, then disable encrypted assertions in Freshworks Security→Azure ( Using SAML) app.
Login to Freshworks Organisation
Navigate to Security Page and then go to Configured SAML App
Disable Encrypted Assertions in configured SAML app under Advanced Options
If encrypted assertions are mandatory then enable encrypted assertions in Freshworks security→ Azure (Using SAML) and SAML app in Azure.
Generate .cer/.pem file
Follow the below steps to configure SLO from the IDP side.
Download metadata from SAML APP.
tag value is the public key.
Azure supports a public key with a header and footer. To create a new file with extension .pem or .cer with header and footer. Based on IDP either need to copy the public key value or to be uploaded created file.
example:
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIIA2mtqKkFQzcwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE
Awwlc2VjdXJpdHlyZXZhbXAudGVzdDEuZnJlc2h3b3Jrc2FwaS5pbzAeFw0yMDEx
MDkxNDM1NTlaFw0zMDExMDkxNDM1NTlaMDAxLjAsBgNVBAMMJXNlY3VyaXR5cmV2
YW1wLnRlc3QxLmZyZXNod29ya3NhcGkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDb+UnQu6x5TDX5rF5FH6QM5dIXD8x1zqKDxlWT7uHPYjmp6iQD
HT7KZssIrd4NwcgpPoszYtkSedu0TvqXOEAbUbYxSdKgL5RwuHAQk1MGYDqw7oM1
CKNOpu2SHdazTEeQrLXT9yL66xBmrhcPBXqNngS9sd+uID2DETfipOJgM48gUESA
GXjNt8sEUHfPq4gnTE77rbRSVWIq+s4cu2nldvYm8KRvnfeWvAMqfTXB72eBe4d8
qPS9dLLvmez7oMaojfarg8WZSCDKIEYZpmAcjwGdidUTvmYNbeKJTI5168DD7eEy
gY5pHVCLYQ/K03XNJeVO4cO1U6fp6KHYOkxfAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAFTVqQGirM6UTbwfWF27mn4N+J32xgFWL19PyMWaHpInq21Q2r/1Dlo95oqu
U65d3y3HtzzSternVVYIBYJRtX/3gTjpsNqIl3udpeeOZoM2OBO8kQItrgcf5MzD
mXpva4kUnpEKXop/8BOmg/DbzVYV6o0LT5wYS657WL6NrHGBF/FcQTh4Rl6oAqyy
02Mi33TRFyXJpDCTxEXNmQBHT4QdH1W4cQjJRLosToNe7KC8qgUzdumOKUwZTvu+
oI7Sl4fdz5sMhNr5+LeNh8kojj0SIKAb7bBjOcUFdLs1hlZfrS0NG4j7RB1X1I+T
1shX5k3Ht7LAI/TgZ1crtBppdqM=
-----END CERTIFICATE-----
Azure AD →Enterprise Applications - >Freshworks SAML app →Token Encryption →Upload .pem/.cer file →Activate Token encryption.
Case 3: Saml configuration error: invalid audience attribute in the Saml response. expected audience: null
The metadata URL (entity URL) of SP, configured in the IDP is wrong. Make sure the correct value is configured in the Freshworks SAML app in Azure IDP.
Case 4: Saml configuration error: invalid issuer attribute in the Saml response. expected issuer value:
Azure AD Identifier configured in Freshworks Security →Azure(Using SAML) is not matching with entity id sent by IDP in the SAML response.
Hence provide a valid Issuer URL(Entity Id) copied from the Freshworks SAML app from Azure(as shown below) and paste it into Freshworks Security →Azure(Using SAML) app's Issuer URL field.
Case 5: We're Sorry, but something went wrong.
When encrypted assertions are enabled on the SP side and public key details are not provided on the IDP side.
Make sure the public key field is not empty
Case 6: Error in Processing SAML Response
Verify Encrypted assertions enabled for Freshworks SSO Azure (using SAML).
Option #1: Disable encrypted assertions in Freshworks SSO Azure (using SAML) if encrypted assertions are not enabled in Azure AD.
Option #1: Follow the below steps to configure the public key in IDP and enable encrypted in IDP
Download metadata from Freshworks SSO Azure (using SAML).
tag value is the public key.
Azure supports a public key with a header and footer. To create a new file with extension .pem or .cer with header and footer. Based on IDP either need to copy the public key value or to be uploaded created file.
example:
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIIA2mtqKkFQzcwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE
Awwlc2VjdXJpdHlyZXZhbXAudGVzdDEuZnJlc2h3b3Jrc2FwaS5pbzAeFw0yMDEx
MDkxNDM1NTlaFw0zMDExMDkxNDM1NTlaMDAxLjAsBgNVBAMMJXNlY3VyaXR5cmV2
YW1wLnRlc3QxLmZyZXNod29ya3NhcGkuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDb+UnQu6x5TDX5rF5FH6QM5dIXD8x1zqKDxlWT7uHPYjmp6iQD
HT7KZssIrd4NwcgpPoszYtkSedu0TvqXOEAbUbYxSdKgL5RwuHAQk1MGYDqw7oM1
CKNOpu2SHdazTEeQrLXT9yL66xBmrhcPBXqNngS9sd+uID2DETfipOJgM48gUESA
GXjNt8sEUHfPq4gnTE77rbRSVWIq+s4cu2nldvYm8KRvnfeWvAMqfTXB72eBe4d8
qPS9dLLvmez7oMaojfarg8WZSCDKIEYZpmAcjwGdidUTvmYNbeKJTI5168DD7eEy
gY5pHVCLYQ/K03XNJeVO4cO1U6fp6KHYOkxfAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAFTVqQGirM6UTbwfWF27mn4N+J32xgFWL19PyMWaHpInq21Q2r/1Dlo95oqu
U65d3y3HtzzSternVVYIBYJRtX/3gTjpsNqIl3udpeeOZoM2OBO8kQItrgcf5MzD
mXpva4kUnpEKXop/8BOmg/DbzVYV6o0LT5wYS657WL6NrHGBF/FcQTh4Rl6oAqyy
02Mi33TRFyXJpDCTxEXNmQBHT4QdH1W4cQjJRLosToNe7KC8qgUzdumOKUwZTvu+
oI7Sl4fdz5sMhNr5+LeNh8kojj0SIKAb7bBjOcUFdLs1hlZfrS0NG4j7RB1X1I+T
1shX5k3Ht7LAI/TgZ1crtBppdqM=
-----END CERTIFICATE-----Azure AD →Enterprise Applications - >Freshworks SAML app →Token Encryption →Upload .pem/.cer file →Activate Token encryption.
Case 7: 10. {{UserEmail}} cannot be logged in as this user is not part of this organization
As the error says, this user is not part of org, verify whether a user is already present within the same organization or not
If the user is logging in with valid credentials from Azure and facing a login issue, then
Verify user presence in Organisation
In Azure, check User Attributes & Claims.
A unique User identifier should be set to user.mail.
Also verify the user profile and what data was sent as part of user.mail, which should match with the user email in FreshId.
