Azure AD is getting URL not application identifier
frank42195 opened this issue · comments
I created an enterprise application but am getting error AADSTS700016 saying that the application identifier was not found in the tenant's directory. It is giving the URL of my web site as the application identifier, not the actual application identifier. I see where the Directory (tenant) ID is in the SSO URL:
https://login.microsoftonline.com//saml2
I have tried putting the application id in the field "Identity Provider Entity ID", but that isn't showing up in the error message. The URL for my website is.
To be specific, the PHP SAML configuration page has these settings: Plugin Enforced, Strict, Debug, Just In Time Provisioning, Service Provider Certificate, Service Provider Key, Name ID Format, IdP Entity ID, IdP SSO URL, IdP Single Logout Service, IdP X509 Certificate, Requested Authn Context, Req Ath Comparison, Encrypt NameID, Sign Auth Reqs, Sign Logout Reqs, Sign Logot Response.
The Azure tenant is our university and I am accessing the IdP SSO login URL as https://login.microsoftonline/put-tenant-id-here/saml2. I have tried putting the application ID in the IdP entity ID, but it still is using the URL of our web site.
Hi Frank, sorry i delted my poste because i mixed up the two Plugins
phpsaml and singlesignon (from Edgard Lorraine Messias)
I figured it out how it works, i only have one problem with the transport of the email-address for JIT
Have a look at the phpsaml.xml
https://github.com/derricksmith/phpsaml/blob/master/phpsaml.xml
there you can download the version 1.2.1 https://github.com/derricksmith/phpsaml/archive/1.2.1.zip
Put it in the plugins folder as "phpsaml" then you can install the Plugin and configure it.
I got the problem, that wasn't able to safe the settings from the configuration page. So i changed everything in the table "glpi_plugin_phpsaml_configs"
then u should have every information in the readme.md or in the wiki https://github.com/derricksmith/phpsaml/wiki
Now i get the error: "JIT Error: Unable to create user because missing claims (emailaddress)"
Ok, i found my solution:
the Name ID Format must be set as Email Address and the Requested Authn Context to X509
Now it works as expected :)
@derricksmith maybe we should post this or a simular image in the readme with some configuration comments. for instance what bindings to use (if someone needs to configure them manually).
No more activity, I suggest we close this issue.