Troubleshooting SAML with Microsoft Entra ID

Common Issues and Resolutions

“RequestedAuthenticationContext … must be ‘exact’”

Symptom: Entra ID returns an error indicating the SAML authentication request comparison value must be exact.

Resolution:

1. In System Admin > Settings > SAML Settings > Advanced, set Required authentication level to exact.
2. Save the configuration and retry the login.

“A user ID is required from your Single Sign On provider.”

Symptom: CPAM displays an error that a user ID is required.

Resolution:

1. In Entra ID, open the application’s Single sign-on > SAML claims.
2. Confirm a claim named exactly userid exists and maps to a valid attribute (for example, user.mail or user.userPrincipalName).
3. Remove any Namespace value for the userid claim.
4. Save and retry authentication.

Signing Key Rotation Blocks Logins

Symptom: Users cannot authenticate after Entra ID rotates its SAML signing certificate.

Resolution:

1. Sign in locally as an administrator to CPAM.
2. Go to System Admin > Settings > SAML Settings.
3. Select Clear next to the IDP Signing Certificate, then reimport the current IdP metadata.

Group Synchronization Not Working

Symptom: Users are created but do not receive expected groups or roles.

Resolution:

1. Verify Enable Group Sync if groups are provided is selected in SAML Settings.
2. Confirm Entra ID sends a groups claim and that group names exactly match groups in CPAM (including case and spacing).
3. Ensure the claim names have no namespaces.

Cannot Revert to Old Credentials After First SAML Login

Expected behavior: After a user authenticates with SAML, they cannot use prior CPAM credentials. Disable SAML to restore the earlier authentication method if required.