@jnagati normally if the user is setup properly for SSO he/she should not be able to connect with user/pwd. Could you share a screenshot from the user setup?

Is the email address setup in Directory Id? Is Default IdP turned off? Is there an IAM user for it?

Hi jnagati,

From my experience this is one of two things:

• Directory ID is incorrect
• UPN / Directory ID don’t match

On the second one this is more if something has changed on the Azure side. Please note I am not 100% on this so take this with a pinch of salt.

As far as I could tell the first time a user connects via SSO the GUID of the user is mapped to their UPN and stored in IFS. For future SSO IFS uses sees that it has this matched email for this Azure GUID and matches the cached email value to match with the directory ID.

Therefore if a UPN has changed after the first login it can cause a mismatch. We got around this by using the email attribute mapping instead but I believe you can now clear this cached value in IFS somewhere (not sure as never had to do it).

Hopefully this is of some help!

Hi, Most probably the Client Secret Key Get Expired. Please check the ifsapp-iam container logs.

Solution: Generate a new secret key from the Azure App Registration and update it in Application IAM Identity Providers

Thanks,

Ashen

What Directory ID is set under Create User?

If this is his user ID, and not the SSO email, the user will need to enter PW and SSO not working.