SOTI Pulse Logo

SOTI Identity login issue using Entra-ID for newly added user

Publish Date: 14-Aug-2025 SOTI Identity
47

Summary

This document outlines the troubleshooting process for a SAML authentication failure involving SOTI Identity and Microsoft Azure AD.

Related SOTI ONE Platform Products

SOTI Identity

Issue Description

A newly added user was unable to log in to SOTI Identity using SAML-based SSO via Microsoft Azure AD. After redirecting to the IdP and completing login, the authentication process failed and resulted in the below error page.

Environment

  • Service Provider: SOTI Identity

  • Authentication Protocol: SAML 2.0

  • Identity Provider: Microsoft Azure AD (Microsoft Entra ID)

Symptoms

  • Users redirected to the IdP login page.

  • Post-authentication, redirected back to the service but shown an error page.

  • No access granted to the SOTI Identity portal.

Cause

On the SOTI Identity logs page, we see the following below:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8e868b7f-4214214214hgkdv-09ea0c00" Version="2.0" IssueInstant="2025-06-26T14:53:56.188Z" Destination="https://identity.dummy.com/sso/saml/Auth/HandleExternalIdpResponse" InResponseTo="_8e868b7f-4214214214hgkdv-09ea0c00">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.dummy.com/tenant-id-placeholder/</Issuer>
 <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode>
 </samlp:Status>
 <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e868b7f-4214214214hgkdv-09ea0c00" IssueInstant="2025-06-26T14:53:56.182Z" Version="2.0">
  <Issuer>https://sts.dummy.com/tenant-id-placeholder/</Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod>
    <Reference URI="_8e868b7f-4214214214hgkdv-09ea0c00">
     <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod>
     <DigestValue>dummyDigestValue=</DigestValue>
    </Reference>
   </SignedInfo>
   <SignatureValue>dummySignatureValue==</SignatureValue>
   <KeyInfo>
    <X509Data>
     <X509Certificate>dummyCertificateValue</X509Certificate>
    </X509Data>
   </KeyInfo>
  </Signature>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">dummyUser</NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData InResponseTo="_8e868b7f-4214214214hgkdv-09ea0c00" NotOnOrAfter="2025-06-26T15:53:56.004Z" Recipient="https://identity.dummy.com/sso/saml/Auth/HandleExternalIdpResponse"></SubjectConfirmationData>
   </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2025-06-26T14:48:56.004Z" NotOnOrAfter="2025-06-26T15:53:56.004Z">
   <AudienceRestriction>
    <Audience>https://identity.dummy.com/audience-placeholder</Audience>
   </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
    <AttributeValue>dummy-tenant-id</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
    <AttributeValue>dummy-object-identifier</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
    <AttributeValue>https://sts.dummy.com/tenant-id-placeholder/</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>dummyUser</AttributeValue>
   </Attribute>
   <Attribute Name="role">
    <AttributeValue>dummyRole</AttributeValue>
   </Attribute>
   <Attribute Name="mail">
    <AttributeValue>dummyUser@example.com</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2025-06-26T14:53:56.077Z" SessionIndex="_8e868b7f-4214214214hgkdv-09ea0c00">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>

Error logs when a user tries to login.

The SAML response from Azure AD was missing first name and last name values in <AttributeStatement> section


                    

                    

                        
Issue Resolution

                        
Investigation Using SAML-tracer:


  1. 

    Installed and launched the SAML-tracer Chrome extension.
    

  2. 

    Reproduced the SAML login flow to capture the authentication request and response.
    

  3. 

    Located the SAMLResponse within the captured POST request.
    

  4. 

    Opened the decoded XML in the SAML tab of the extension.
    

  5. 

    Reviewed the <AttributeStatement> section to check if something is missing
    



Findings:


  • 

    All expected attributes (such as mail, name, role, etc.) were present in the SAML assertion.
    

  • 

    However, it was observed that firstname and lastname were not included even though defined in attributes. In below logs, we see that all attributes are being passed but no first name and last name are getting reported.
    





   <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
    <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
   </Attribute>
   <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>dummyUser@example.com</AttributeValue>
   </Attribute>
    <Attribute Name="role">
    <AttributeValue>dummyRole</AttributeValue>
   </Attribute>
   <Attribute Name="mail">
    <AttributeValue>dummyUser@example.com</AttributeValue>
   </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2025-06-26T14:53:56.077Z" SessionIndex="_8e868b7f-4214214214hgkdv-09ea0c00">
   <AuthnContext>
    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified</AuthnContextClassRef>
   </AuthnContext>
  </AuthnStatement>
 </Assertion>
</samlp:Response>


  • This empty-value condition caused downstream validation within SOTI Identity to fail.






Resolution:


1. Fill in the user's first name and last name section on the Azure AD portal.


2. After the update, the SAML response includes valid values, and the login succeeds.

                    

                    

                        
Additional Information

                        
How to Use SAML-tracer for Troubleshooting:


1. Install the Extension:


  • Search for SAML-tracer in the Chrome Web Store and install it.


2. Open SAML-tracer: 


  • Select the extension icon to open the SAML-tracer panel.


3. Reproduce the Login Flow: 


  • Perform the SAML login in another tab while SAML-tracer is running.


4. Inspect the SAML Response


  • Look for a POST request with SAMLResponse.
  • Select the request, go to the SAML tab, and inspect the decoded XML.


5. Review <AttributeStatement> Section and confirm: 


  • All required attributes are present.
  • Values are populated.


6. Export Logs (Optional):


  • Use File > Export Log to save a copy for reference or sharing with support.


                    




            

                

                    

                        

                            Was this helpful?
                        

                        

                            
                            
                        

                    

                


                
            

        


        

            

                Similar Articles
            

            


            

                    
                        

                            Troubleshooting Bulk User Import Issues in SOTI Identity
                        


                        

                            

                                02 Jul 2025
                            


                            

                                SOTI Identity
                            

                        

                    
                    
                        

                            Issues after performing SOTI Identity 2025.0.0 Upgrade
                        


                        

                            

                                23 Sep 2024
                            


                            

                                SOTI Identity
                            

                        

                    
                    
                        

                            Adding Dropbox to SOTI Identity
                        


                        

                            

                                25 Jul 2024
                            


                            

                                SOTI Identity
                            

                        

                    
                    
                        

                            SOTI Identity 2.4 Upgrade - Azure AD refresh token issue
                        


                        

                            

                                14 Nov 2022
                            


                            

                                SOTI Identity
                            

                        

                    
                    
                        

                            SOTI Identity SAML Certificate Update for 3rd party IdPs
                        


                        

                            

                                04 Oct 2022
                            


                            

                                SOTI Identity