Azure AD, Okta, and ADFS Troubleshooting

Abstract

This page describes troubleshooting issues when configuring Okta and ADFS Identity Providers.

Infinite is not responsible for the content on third-party websites. For the purposes of this documentation Infinite BrassRing Platform is the Service Provider (SP).

Azure AD-Specific Issues

For more information, see Azure Ad's troubleshooting documentation.

OKTA-Specific Issues

For more information, see OKTA’s troubleshooting documentation.

ADFS-Specific Issues

SAML Clock Handling ADFS

For security reasons, a SAML assertion has a validity period and its lifetime cannot be extended. The validity period is embedded in the SAML message and is typically measured in seconds. The receiver of a SAML message verifies that the message validity period is valid relative to the receivers clock. If it is not, the message is rejected and trust cannot be established. Therefore it is critical that the senders and receivers clock are synchronized.

1. Receiving a Not Yet Valid Assertion

   • If the IdP system clock is not synchronized with the SP system clock. When the NotBefore within the credential is set to a future time from the viewpoint of the SP, this error occurs. When the clocks are not synchronized, the SP does not accept the credential as valid. The Active Directory Federation Services (ADFS) allows SAML administrators to set the NotBefore value to a time in the past so the system clocks can synchronize.

   1. Using the PowerShell tool, select Start → Administrative Tools → Windows PowerShell Modules and modify the RelyingParty (SP) with this command line:

   2. At the PowerShell command prompt type:

      1. Add-PSSnapin Microsoft.Adfs.PowerShell. This loads up the ADFS PowerShell plug in.

      2. Get-ADFSRelyingPartyTrust –identifier “urn:party:sso”. This shows what the values were

      3. Set-ADFSRelyingPartyTrust –TargetIdentifier “urn:party:sso” –NotBeforeSkew 2. This sets the skew to 2 minutes

   3. Select Enter.

2. NotBeforeSkew (ADFS 2.0)

   • View more details on the ADFSRelyingPartyTrust ADFS 3.0 command here.

   • view more details on the ADFSRelyingPartyTrust ADFS 2.0 command here.

   • Before ADFS 2.0 the configuration might be configured differently.

Temporarily Disable Encryption

Sometimes trust cannot be established due to the encryption. Encryption can be temporarily disabled by:

1. Using the PowerShell tool, select Start → Administrative Tools → Windows PowerShell Modules and modify the set-RelyingPartyTrust with this command line:

2. At the PowerShell command prompt type: set-ADFSRelyingPartyTrust -TargetName “Tivoli Federated Identity Manager SP Example” -EncryptClaims $False.

3. Select Enter.

Login Failures with SP initiated login processes

If login failures are encountered with the SP initiated login process, you might need to add the SPNameQualifier property to the ADFS configuration. The value of this attribute is the entityID in the Infinite BrassRing Platform metadata file.