Help configuring SAML Single Sign-on with Azure AD

I have been building a new instance of OnDemand and was trying to get it to work with Azure AD SAML Single Sign-on. I’m able to authentication working, however, I get the following error when it loads the OnDemand home page:

Error – failed to map user (mvMH4XUx/FTt3Z8E2Lb0bwH2SKP0A6eGjUmD7DXNrPI=)

Most of the errors I’ve seen around this involve “failed to map user DOMAIN\user”, so I’m not sure why I’m getting this string. I’ve tried setting the user_map_match and user_map_cmd with the custom script.

Any guidance would be much appreciated!

-dain

My guess is it’s your oidc_remote_user_claim setting if you have it set. I’m guessing that Azure AD is returning the sid (session id) instead of say preferred_username or email.

This setting tells the OIDC provider what to return as the httpd REMOTE_USER. That random string looks like a session id.

Feel free to attach your ood_portal.yml (with all the secret stuff removed) if that doesn’t solve the issues.

Secondarily your oidc_scope could be limited. It should have at least openid and likely email too.

Our example may provide some insight.
https://osc.github.io/ood-documentation/latest/authentication/oidc.html

Thanks, I was using the SAML with mod_auth_mellon process. Got to reading a bit more into mellon and saw that it uses transient as the default nameid-format, so I set it to use emailAddress in Azure, and it seems to be kinda working. Running into another issue, but I’m making some progress. Looks to just be something with my server.

Thanks again

-dain

Sorry! I just assumed it was OIDC. Glad to hear you’re making progress.