Microsoft Entra Single Sign-On into Arctera Unified Platform portals fail when the User Principal Name (UPN) does not match the SMTPAddress
Article ID: 100048508
Updated On:
Description
Error Message
See internal notes for additional information
Notes
A change was made in summer fall 2020 on the backend that caused a logic change in how Arctera Unified Platform confirmed authenticated users.
Note: The log snippets are from the Authentication Service log.
Prior to the change, the SMTPAddress (emailAddress) of the account was used thus the user.mail claim was sufficient.
11:01:00 (40) CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, appName=EPA
11:01:00 (40) Valid SAML response in EvaluateConditionsAttributes(..) - CurrentTime:8/25/2020 6:01:00 PM, NotBefore:8/25/2020 5:55:59 PM, NotOnOrAfter:8/25/2020 7:00:59 PM
11:01:00 (40) cid=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, emailAddress=srogers@xxxx.com
Note: Take note of the above line which shows the emailAddress 'srogers@xxxx.com being passed in by the end user to be authenticated by Veritas Alta Archiving
After the change to the backend code in early fall 2020, the value passed in from the end user can now be compared to both the SMTPAddress and UPN column in the Acct table.
08:51:48 (72) Load Customer Context for CustomerID - 0a4e2ab5-f4d5-496a-8c83-352c29f622d308:51:48 (72) CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, appName=EPA08:51:48 (72) Load Customer Context for CustomerID - 0a4e2ab5-f4d5-496a-8c83-352c29f622d308:51:48 (72) Valid SAML response in EvaluateConditionsAttributes(..) - CurrentTime:9/15/2020 3:51:48 PM, NotBefore:9/15/2020 3:46:47 PM, NotOnOrAfter:9/15/2020 4:51:47 PM08:51:48 (72) CID=0a4e2ab5-f4d5-496a-8c83-352c29f622d3, SSOColumnValue=srogers@xxxx.com
Note: The above line shows 'SSOColumnValue' as opposed to 'emailAddress' field.
Cause
This can occur as a result of a missing claim UPN in the Microsoft Entra SAML-based Sign-on
Resolution
Create a UPN claim in Azure SSO.
- Logon to Microsoft Entra admin center (https://aad.portal.azure.com)
- Navigate to Enterprise applications > (Locate the application created for SSO) > Single Sign-On > User Attributes & Claims
- Add a new claim:
- Name: UPN
- Source Attribute: user.userprincipalname
Ensure that the following 3 required claims are configured:
| Claim name | Value |
|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | user.userprincipalname |
| UPN | user.userprincipalname |
Note: Additional claims may be present, such as givenname or surname. Their presence is optional.
Issue/Introduction
Microsoft Entra Single Sign-On (SSO) into Arctera Unified Platform portals fail and returns to the login screen when the User Principal Name (UPN) does not match the SMTPAddress of the account.
Additional Information
JIRA: CFT-2948
