Hi Dmytro,
Are you referring to assigning the authentication provider to a resource within a role? If so, yes—the user has a role that has the authentication provider assigned to it.
Best regards,
Aaron
Hi Dmytro,
I found a strange but repeatable behavior when trying to access Microsoft 365 via OpenIAM as the IdP.
Here’s the scenario:
-
I’m already logged into OpenIAM in another tab (same browser session).
-
When I go to
https://portal.office.com, I get redirected to OpenIAM’s login page:https://example.com/idp/login?postbackUrl=%2Fidp%2Fsaml2%2Fidp%2Flogin -
On that page, I enter the username, but nothing happens — the password field doesn’t appear.
-
If I manually change the URL to:
https://example.com/idp/saml2/idp/loginand hit enter, it logs me into Microsoft 365 successfully using the current OpenIAM session.
It seems like the SAML session is still active, and manually accessing the SAML endpoint bypasses the broken login flow. Is there an explanation for why the login page fails to render or redirect properly when accessed via the postbackUrl flow?
Could this be a login template issue or something misconfigured in the redirect handler?
Would appreciate any help or insight on how to fix this.
Thanks,
Aaron
Hi Aaron,
I will discuss your question with our team, and will come back to you shortly.
Best regards, Dmytro
1 Like
Hi Aaron,
Could you please share two screenshots from OpenIAM of uri patterns for: /idp/saml2/idp/login and /idp/saml2/idp/*
Best regards, Dmytro
Please follow this path:
webconsole → access control → content provider → your SAML connect provider → /idp/saml2/idp/login URI
webconsole → access control → content provider → your SAML connect provider → /idp/saml2/idp/login* URI
Hi Aaron,
Could you please change Supported Authentication levels for /idp/saml2/idp/login
Should be: Any Authentication
Best regards, Dmytro
1 Like
Hi Dmytro,
Thank you so much — it works now!
Just one more thing: OpenIAM sends the User Principal Name to Entra ID in the SAML request, but Entra expects the OnPremisesImmutableID. Is there a Groovy script template available that retrieves the objectGUIDof a user using the Azure AD connector and convert it to Base64 ?
Best regards,
Aaron
Hi Aaron,
As I understand, you would like to have OpenIAM verify the user by OnPremisesImmutableID from Azure SAML request
If yes, then you have to sync Azure users with OnPremisesImmutableID attribute using our PSGraph connector.
Regarding configuration OpenIAM I will discuss it with our team.
Best regards,
Dmytro
1 Like
Hi Aaron,
I have a question: How should OnPremisesImmutableID be represented in OpenIAM’s SAML request to Azure, as NameID in SAML request or as an additional attribute in SAML request?
Best regards,
Dmytro
1 Like
Hi Dymtro,
I believe it would be best if it’s represented as NameID instead!
Best regards,
Aaron
Hi Dmytro,
Any updates on this yet?
Best regards,
Aaron