Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"

Jump to Best Answer
  • 1.  IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"

    Posted 27 days ago
    Hi, 

    We're using Azure AD and I've configured our Clearpass Server to use SAML as SP. The SP initiated SSO from the clearpass login page is working well, but if i try to login from MyApps Dashboar at AAD I'm getting an 403. 
    We using the Azure application proxy for the way back into our internal network.  

    Any ideas what I've probalby done wrong or how to analyze the issue further? 

    Thanks
    Jonny




    ------------------------------
    Jonny
    ------------------------------


  • 2.  RE: IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"

    Posted 27 days ago
    Have you replaced the default cert on the application in Azure?

    ------------------------------
    Victor Fabian
    ------------------------------



  • 3.  RE: IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"

    Posted 27 days ago
    Yep, CNAME was created and I've uploaded the correct certificate. From my understanding, all settings and forwarders at AAD are correct. I've have been authenticated successfully but clearpass miss something. There are no log entries at the access tracker.

    ------------------------------
    Jonny 
    ------------------------------



  • 4.  RE: IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"
    Best Answer

    Posted 26 days ago
    CPPM does not support IdP-initiated logins. You'd need to just add a static link in MyApps.

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: IDP initiated SSO / SAML with Azure AD "RelayState invalid / missing"

    Posted 25 days ago
    @timms 
    Thanks for clarification! Didn't thought about this possibility.
    Will try it with a static link and application proxy.​

    ------------------------------
    Jonny
    ------------------------------