This topic describes how to resolve common errors that arise when configuring a single sign-on partnership between Azure Active Directory (AD) and Pivotal Single Sign-On (SSO).
You cannot log in to your SSO plan.
Pivotal recommends using a different browser or deleting your browser cache and history before you log in to your SSO plan. Your SSO plan can fail if you are already logged in to Azure AD as the Global Administrator account that was used to set up all the configurations.
If your login fails more than five times, Azure locks your account for 30 minutes. There is currently no way to unlock an account in Azure AD, so wait for the lockout period.
Pivotal recommends testing your SSO plan from Azure AD to see the contents of the SAML assertion. For more information, see Test Your Configurations in Azure AD.
- The App ID URI is misconfigured on Azure AD.
- The Reply URL is misconfigured on Azure AD.
- The identity provider metadata has the
RoleDescriptorelements or is missing configurations for Name ID. See Configure Identity Provider Metadata.