Logging into CPM using Identity Provider may fail with an error "An error occurred"
Issue:
When trying to log in to CPM, you may receive the following error:
In the CPM log files, there will be no related error messages, but in the Windows Event viewer you can find these errors: AD FS errors 261 and/or 364:
AD FS error 364:
AD FS error 354:
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.AssertionConsumerServiceUrlDoesNotMatchPolicyException: MSIS3200: No AssertionConsumerService is configured on the relying party trust 'https://<CPM_Server_Address>/remote_auth/metadata' that is a prefix match of the AssertionConsumerService URL 'https://<CPM_Server_Address>/remote_auth/complete_login/' specified by the request.
AND
AD FS error 261:
The request specified an Assertion Consumer Service URL 'https://<CPM_Server_Address>/remote_auth/complete_login/' that is not configured
Description:
This issue usually happens because of misconfiguration of the Relying Party Trusts in the AD FS Management console. For example, if "Trusted URL" specified not as described in the user guide.
Resolution:
Configure "Trusted URL" option as described in the user guide:
Try to login to the CPM again.
Related Articles
How to Integrate CPM with ADFS to allow Idp logins from windows AD users
Background: This How-To guide will outline how to configure CPM and a windows ADFS server to allow IdP logins. Before you get started you will need to check the prerequisites. This is very important. If they are not met or the Domain and any of the ...AD FS may produce “An error occurred” page when logging in or performing Test Connection
Problem: AD FS may produce “An error occurred” page when logging in or performing Test Connection Symptom: you may find an error like this in the Windows Event Logs for AD FS on the AD FS server: Microsoft.IdentityServer.Web.InvalidScopeException: ...Login to the CPM using an IDP may fail with the "Invalid issuer" error message
If you're using an IDP, login to the CPM may fail with the following error message: login failed. reason: Invalid issuer in the Assertion/Response (invalid_response): It also may be found in the cpm_server.log: ERROR: ...SAML Identity Provider user log in issues
Description: This KB article describes several scenarios that could happen when SAML based Identity Provider is used to provide log in requests for the CPM. Scenario 1 User tries to log in to the CPM when he belongs to cpm_<groupname> group in the ...How To Integrate Okta SSO IdP with CPM 3.0 and above
Background: This document details the steps needed to configure Okta Single Sign On IdP and N2WS Cloud Protection Manager 3.0+. This KB will walk through configuring a new application in Okta to use with CPM as well as configuring CPM with Okta's ...