Outlook Web App: SAML-based SSO Authentication Failing for Some Users

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Versions Affected: All

    Description: When accessing OWA externally after authenticating through the SecureAuth IdP, users encounter a "ID6018: Digest verification failed".  Typically this problem is tied to SAML rule translation, but no translation/mapping is used.  When accessing OWA internally (also authenticating through the SecureAuth IdP), those users are able to log in without issues.

    SAML tracer shows problematic users failing to post FedAuth cookies, whereas other users are posting cookies as expected.

    Cause:  In some rare instances, when the value is copy/pasted into the data store attribute, the "line break" character may be mistakenly added to the actual value.  This will cause a premature break when creating the SAML assertion.  This break will produce an erroneous SAML assertion, causing the SSO handshake to fail with a ID6018 error as noted above.

    Resolution:  In the realm debug logs, check to see if there are malformed "GetClaimsIdentity" lines when collecting the attribute from the user account to be encoded in the SAML assertion.

    If there is a "line break" (invisible ASCII character) causing the GetClaimsIdentity line to break prematurely into two lines, it will cause a SAML assertion failure.

    Check the attribute from the data store and re-enter it manually.

    For example, if the attribute to be passed in SAML assertion is the userPrincipalName in Active Directory, go into the Attribute Editor tab of the user object, delete the existing value and re-type the correct value, then save.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.