Troubleshooting

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.

Page last updated:

This topic describes how to resolve common errors that arise when configuring a single sign-on partnership between Azure Active Directory (Azure AD), OpenID Connect (OIDC), and Single Sign‑On for VMware Tanzu Application Service.

Bad Request

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
400 Bad request.

Explanations:

  • This is a generic error. Review UAA logs for detailed information.
  • This error can occur when the app type is created as Native. Ensure you created your client in Azure AD as Web App/API.
  • This error can occur when a response type other than code is used. Ensure you configure the response type to use code.

Cannot determine username from credentials supplied

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
Cannot determine username from credentials supplied.

Explanation:

  • No value is mapped to the username used by Ops Manager. Under the identity provider attributes, map the unique_name attribute to username

Azure Error for Reply Address

Symptom:

The error message
on the sign in page reads: Sorry, but we're having trouble signing you in. We received a bad request.

Explanation:

  • The reply URL is misconfigured. Ensure you entered your callback URL correctly as a reply URL in Azure AD.

Login Page Cannot Be Found (404 Error)

Symptom:

The error message page reads:
This login.windows.net page can't be found.

Explanation:

  • The Authorization Endpoint URL might be incorrectly entered or not available. Ensure you correctly entered the authorization endpoint, and that the authorization endpoint is available to the end user.

Error authenticating against external identity provider: 404 Not Found

Symptom:

The error message page reads,
There was an error when authenticating against the external identity provider:
404 Not Found.

Explanation:

  • The Token Key URL might be incorrectly entered or not available. Ensure that you entered the token key setting correctly, and that the Token Key URL is available.

Error authenticating against external identity provider: Invalid issuer for token did not match expected

Symptom:

The partially redacted
error message page reads, There was an error when authenticating against
the external identity provider: Invalid issuer (redacted) for token did not match expected (redacted).

Explanation:

  • The Token Key URL might be incorrectly entered. Ensure that you entered the issuer setting correctly.

Request Method ‘POST’ not supported (405 Error)

Symptom:

The error message page reads,
HTTP Status 405 - Request method 'POST' not supported. Type: status report.
Message: Request method 'POST' not supported. Description: The specified HTTP method
is not allowed for the requested resource.

Explanation:

  • This error can occur if you configure a response type that Azure AD does not support, or is not enabled for the application, such as token or code id_token token. Ensure that you configure the response type to code.

Error authenticating against external identity provider: Some parties were not in the token audience

Symptom:

The partially redacted
error message page reads, There was an error when authenticating against
the external identity provider: Some parties were not in the token audience (redacted).

Explanation:

  • The Relying Party Client ID might be incorrectly entered. Ensure you have correctly entered the relying party client ID setting.