Loading
Salesforce now sends email only from verified domains. Read More

SP-Initiated SSO Using IDP-Initiated SSO URL Fails with Unauthorized Error

Publish Date: Mar 2, 2024
Resolution

SYMPTOM

Some IDPs support IDP-Initiated SSO and SP-Initiated SSO with 2 different URLs. For example, Azure AD as mentioned here: Configuring Anypoint Platform as an Azure AD Service Provider (SP)
  • IDP-Initiated SSO URL: https://myapps.microsoft.com/signin/[ApplicationName]/[ID]
  • SP-Initiated SSO URL:  https://login.microsoftonline.com/[TENANTID]/saml2 
Since May 30 2020, Anypoint Platform Access Management started supporting SP-Initiated SSO. Please see the release notes here

When logging in using SP-Initiated SSO but IDP-Initiated SSO URL is configured in Anypoint Platform, 401 authentication error is received.

CAUSE

For example, the following Azure AD use case:

1) IDP-Initiated SSO URL is configured in the Anypoint Platform Organization: https://myapps.microsoft.com/signin/[ApplicationName]/[ID]
2) both SP-Initiated SSO and IDP-Initiated SSO are enabled in the Anypoint Platform Organization
3) when logging in using the URL: https://anypoint.mulesoft.com/login/domain/[AnypointOrganizationDomainName], since SP-initiated SSO is enabled, Anypoint Platform starts SP-initiated SSO by sending the SAMLRequest parameter in the request, which has a request ID encoded in it.
4) since the URL https://myapps.microsoft.com/signin/[ApplicationName]/[ID] is an IDP-Initiated SSO URL, Azure AD follows IDP-Initiated SSO, thus the SAMLResponse will NOT have the expected header "InResponseTo" in the SAML Response. The following example would be expected by Anypoint Platform:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="xxx" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="[TheIDInTheSAMLRequest]">
5) Since Anypoint Platform believes it is an SP-Initiated SSO, it expects the attribute "InResponseTo" in the samlReponse. If not found, Anypoint Platform fails the login request with 401 authentication error.

SOLUTION

When logging in using URL https://anypoint.mulesoft.com/login/domain/[AnypointOrganizationDomainName], if both SP-Initiated SSO and IDP-Initiated SSO are enabled, please make sure the SSO URL configured in the Anypoint Platform is the SP-Initiated SSO URL. 
Knowledge Article Number

001122279

 
Loading
Salesforce Help | Article