Known Issues with SAML, Single Sign-On (SSO), and SCIM Integration in Entra ID

SAML and Single Sign On Known Issues

Azure AD SAML Test Fails

Description

Using the Test this application utility in SAML-based sign-in fails.

Authentication succeeds, but after redirecting the user to Cerberus FTP Server, the user encounters the error, “SSO authentication failed. Try again or contact the administrator”. The Cerberus FTP Server logs contain a warning message reading, “A request ID was expected but not provided in the assertion”.

Explanation

Cerberus currently requires every authentication response it receives to match an authentication request recently initiated with Cerberus. Azure AD’s SAML test procedure generates an independent authentication response and sends it to Cerberus. Since Cerberus has not received a prior authentication request it rejects the authentication request.

Work-Around

Use the SSO button on the Cerberus FTP Server login page for testing.

Users Column is Empty

Description

The Users tab appears empty for the SSO configuration.

Most likely, provisioning has not been configured or has not yet taken place. The Enterprise App must have automated provisioning enabled and must have completed a cycle of provisioning before users and groups will appear in the Cerberus FTP Server admin console.

Fixes

• SCIM Provisioning must be set up and functioning correctly
  See SCIM Provisioning between Azure AD and Cerberus FTP Server for detailed instructions.
• Users and groups must be granted access to adding them to the Enterprise Application
  
• Users and groups must be provisioned from Azure AD to Cerberus. Azure AD schedules provisioning updates every 40 minutes.
  Once SCIM Provisioning is configured correctly, you can use Provision on Demand to see immediate feedback in Cerberus
  

SCIM Known Issues

You can view Azure AD’s list of known issues; below we outline a few that may be common with Cerberus FTP Server.

Root Certification Authority

Azure AD requires that the public certificate for the endpoint listener used in the Tenant URL be issued by one of a specific set of root certification authorities. At the current time, this includes:

• CNNIC
• Comodo
• CyberTrust
• DigiCert
• GeoTrust
• GlobalSign
• Go Daddy
• VeriSign
• WoSign
• DST Root CA X3
  

Error Saving Provisioning

Azure AD in 2020 had a limit of 1 KB for configuration data. This has been reportedly increased as of 2021, but in 2023 we are still on occasion seeing issues where the SAML certificate plus Provisioning data (Tenant URL, Secret Token, Notification email, etc) are too large to save.

There are a few options to by-pass this issue. Reduce the number of custom Mapping fields you may have created, disable the Notification Email in Settings (long email addresses take space), or use one Enterprise App for SAML and another for Provisioning User Accounts.

None of these are great solutions, and we’re continuing to follow up with Microsoft for a better long-term solution.

Cannot Remove Provisioning

Once you have configured provisioning and saved, you cannot delete it. Microsoft recommends disabling Provisioning as a work-around.