SAML and Single Sign On Known Issues
Azure AD SAML Test Fails
Using the Test this application utility in SAML-based sign-in fails.
Authentication succeeds, but after redirecting the user to Cerberus FTP Server, the user encounters the error, “SSO authentication failed. Try again or contact the administrator”. The Cerberus FTP Server logs contain a warning message reading, “A request ID was expected but not provided in the assertion”.
Cerberus currently requires every authentication response it receives to match an authentication request recently initiated with Cerberus. Azure AD’s SAML test procedure generates an independent authentication response and sends it to Cerberus. Since Cerberus has not received a prior authentication request it rejects the authentication request.
Use the SSO button on the Cerberus FTP Server login page for testing.
Users Column is Empty
The Users tab appears empty for the SSO configuration.
Most likely, provisioning has not been configured or has not yet taken place. The Enterprise App must have automated provisioning enabled and must have completed a cycle of provisioning before users and groups will appear in the Cerberus FTP Server admin console.
SCIM Provisioning must be set up and functioning correctly
See SCIM Provisioning between Azure AD and Cerberus FTP Server for detailed instructions.
- Users and groups must be granted access to adding them to the Enterprise Application
- Users and groups must be provisioned from Azure AD to Cerberus. Azure AD schedules provisioning updates every 40 minutes.
Once SCIM Provisioning is configured correctly, you can use Provision on Demand to see immediate feedback in Cerberus
SCIM Known Issues
You can view Azure AD’s list of known issues; below we outline a few that may be common with Cerberus FTP Server.
Root Certification Authority
Azure AD requires that the public certificate for the endpoint listener used in the Tenant URL be issued by one of a specific set of root certification authorities. At the current time, this includes:
- Go Daddy
DST Root CA X3
Error Saving Provisioning
Azure AD in 2020 had a limit of 1 KB for configuration data. This has been reportedly increased as of 2021, but in 2023 we are still on occasion seeing issues where the SAML certificate plus Provisioning data (Tenant URL, Secret Token, Notification email, etc) are too large to save.
There are a few options to by-pass this issue. Reduce the number of custom Mapping fields you may have created, disable the Notification Email in Settings (long email addresses take space), or use one Enterprise App for SAML and another for Provisioning User Accounts.
None of these are great solutions, and we’re continuing to follow up with Microsoft for a better long-term solution.
Cannot Remove Provisioning
Once you have configured provisioning and saved, you cannot delete it. Microsoft recommends disabling Provisioning as a work-around.