Version Affected: 22.12
Using a Transparent SSO realm which uses a custom token may fail for some users.
During these incidents the end users could be presented with the below
System Error: We are unable to continue at this time. Please close your browser and try again.Error has been logged
Error logs on the IdP Appliance can also hold the below error(s)
LogChannel="SA_ERROR" FormatVersion="0.0.1" EventID="41601" Timestamp="2024-02-16T11:44:57.569Z" CompanyID="1c7eg6j8-ae33-4a7f-b5e9-1c5c60ba2c74" ApplianceID="5750077a-5ab7-ed11-abc0-06d608b78091" Realm="SecureAuth7" UserID="" BrowserSession="bad5df5a-793c-4b17-b4fb-0b882ec031fe" StateMachineID="" RequestID="9038bbc4-5ccd-464c-85d6-ead1a880ddb7" UserHostAddress="x.x.x.x" Message="SAML20SPInitPost Error in SSO service, error: Thread was being aborted., stack: at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at MFC.WebApp.SecureAuth.SAML20SPInitPost.Page_Load(Object sender, EventArgs e)"
When using Transparent SSO and a Custom Token for Password (non-encrypted), users will run into this issue if their password contains a comma.
The fix for this particular issue has been implemented in later Hotfixes (see the bottom of this KB for more details)
If upgrading to a later Hotfix is not an option at this point, there are two workarounds for this particular situation
1) Change the Realm configuration under the Workflow tab to encrypt the Password IF POSSIBLE (some applications do not accept b64 Encoded PWs) - ensure the Custom Token Fields: value is set as below
2) Have the user change their password to one which does not include a comma
A defect ID of EE-3292 has been created for this defect and is included in 22.12 HF8 onwards and 23.07 HF2 onwards
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.