Azure active directory SAML SSO configuration issue with Django backend

nn10101 1 Reputation point
2021-07-27T16:26:41.43+00:00

I am trying to set up SAML Single Sign-On (SSO) with my Django app, but I am getting an error when I try to login to my app.

I go to the app url, Microsoft processes the request (the url displays microsoft.loginonline.com/etc briefly), and then I get redirected to this page:

"https://my-app.azurewebsites.net/.auth/login/aad/callback"

which displays this error:

{"code":400,"message":"IDX10501: Signature validation failed. Unable to match keys: \nkid: '[PII is hidden]', \ntoken: '[PII is hidden]'."}

The reply url is set to:
"https://my-app.azurewebsites.net/.auth/login/aad/callback"

I did the set-up following both the Azure docs and following this documentation: https://django-auth-adfs.readthedocs.io, it is ostensibly working on my localhost, just not on the actual azure app service... I am unsure of what I am doing wrong, and the error message is not very informative for me as I am new to back-end programming and cloud.

Any help is appreciated, thanks!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,875 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-07-28T06:35:07.167+00:00

    @nn10101 Thanks for reaching out.

    Looking at the error message it seems that it is not able to find the correct set of keys to validate the token.
    Verify if you are correctly using the keys configuration in your setup.

    If your setup include tenant independent keys setup for Common endpoint, you need to use this URL : https://login.microsoftonline.com/common/.well-known/openid-configuration

    if you are using a tenant dependent URI, then use a tenant specific URL to recover keys(For example Microsoft tenant) : https://login.microsoftonline.com/microsoft.onmicrosoft.com/discovery/v2.0/keys

    Replace your tenant name here to get to your supported keys (example contoso.onmicrosoft.com)
    If you need any further help, we need to go through your setup.

    ---------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments