Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Azure AD SSO error in configuration

necoutinho
New Contributor III
New Contributor III

Hi Team,

I am configuring SSO with Azure AD following below URL and getting below error in the logs. Please not i am not using SP side (Saviynt side) certificate as it is optional and I do not want the requests to be signed - https://saviynt.freshdesk.com/support/solutions/articles/43000641546-configuring-saml-based-single-s... 

2022-11-10 12:49:09,123 [https-jsse-nio-8443-exec-14] DEBUG auth.LoginController - URL TO SAML LOGIN2=/ECM/login/index?login=true&idp=https://sts.windows.net/xxxxxxxxxxxxxxx/ JSESSIONID =xxxxxxxxxxxxxxxxxxxxxxxx
2022-11-10 12:49:09,592 [https-jsse-nio-8443-exec-11] ERROR error.ErrorController - Exception
org.codehaus.groovy.grails.web.errors.GrailsWrappedRuntimeException
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:145)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
at org.opensaml.xml.security.SecurityHelper.isHMAC(SecurityHelper.java:120)
at org.opensaml.xml.security.SecurityHelper.prepareSignatureParams(SecurityHelper.java:836)
at org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder.signMessage(BaseSAML2MessageEncoder.java:178)
at org.opensaml.saml2.binding.encoding.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:109)
at org.opensaml.ws.message.encoder.BaseMessageEncoder.encode(BaseMessageEncoder.java:52)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59)
at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69)
at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82)

2 REPLIES 2

remon
Saviynt Employee
Saviynt Employee

Hello Necoutinho,

Hope you are doing great, I can't tell only from that error you posted, please also share if at least redirection happen from Saviynt to the IDP or not.
However, let's review some steps one by one.

1- Review Saviynt SP File:

- Make sure you have no errors in the SP file, also I recommend you to create a cert and add it to the SP file as you can see the sample has X509Certificate.

- Change all locations in the SP file according to your setup.

- Make sure you have the same alias name as you have it in AuthenticationConfig.groovy file.

Every location has an alias so make sure you change all of them with the right alias.

2- Review the IDP file:

Once you created the sp file correctly following the above steps you have to take the sp file to Azure and create the IDP file based on it.

IDP file has to come from the IDP platform in your case it comes from Azure.

Change below in the IDP file that was created by Azure IDP platform.
WantAuthnRequestsSigned="false" (Optional)
Delete this part from the IDP file from the below tag to its close. Because Azure Signature doesn't really work, it is an Azure issue.
<Signature xmlns="http://www.w3.org/2000/09/

</Signature>
Finally, upload the IDP and SP files to Saviynt through the UI, Make sure the final name for both is the same as in the AuthenticationConfig.groovy file.
Note that when you upload these two files Saviynt adds a prefix to each accordingly IDP adds IDP and SP adds the SP prefix. you can tell after upload and what name each file has.

You will have to restart for a change to take effect and for that, you will have to open a Support Ticket.

Hope that help
Thanks and regards,

Remon Abdelsheheed

remon
Saviynt Employee
Saviynt Employee

What_To_Change_in_SP_File.png