Users cannot sign in to SaaS applications from the Microsoft Azure Access Panel or MyApps

Symptoms
When users try to access Software as a Service (SaaS) web applications from the Microsoft Azure Access Panel or from MyApps, they experience a sign-in error on the application website.

You may also receive an email message that resembles the following if the certificate has expired:
Action required: Your usage of application_name using Azure Active Directory may incur downtime if action is not taken to update the certificate used for single sign-on.

Dear Customer,

You are receiving this email because our records indicate that you have configured Azure Active Directory for single sign-on with application_name. This configuration required downloading a certificate from the Azure management portal and uploading it to application_name.

This certificate used for single sign-on to application_name is set to roll over on certificate_rollover_date.

Action required: You will need to update this certificate in application_name prior to the date above to avoid downtime with single sign-on. To do this:
  1. Sign into the Azure classic portal using an administrator account such as: directory_administrator_username
  2. Under the Active Directory tab, select the following directory name: directory_name 
  3. Select the Applications tab, then select application_name.
  4. On the Quick Start tab (represented by the blue cloud icon), select the Configure single sign-on button.
  5. Select Microsoft Azure AD Single Sign-On and select Next.
  6. In the Configure App Settings screen, select Next.
  7. Follow the instructions on the Configure Single Sign-on screen to update the certificate used by application_name. Be sure to check the confirmation check box and complete the final screen when finished.

Please contact us if you have any questions about this certificate rollover.

Thank you,

Azure Active Directory Team

Resolution
To resolve this problem, try the following methods.

User account issues

Note The solution for each SaaS application may differ and may not work for some applications.
  • Make sure that the user exists in the SaaS application.
  • Make sure that the user can sign in to the SaaS application and that the user is not disabled in the SaaS application.
  • Verify the following sign-in information:
    1. If the SaaS application uses a user name to sign in, make sure that the user name of the user in the SaaS application matches the user name in Azure Active Directory.
    2. If the SaaS application uses an email address to sign in, make sure that the email address of the user in the SaaS application matches the user name in Azure Active Directory.

    Note If you have set up user provisioning, a change of the user name in Azure Active Directory may take 15 minutes to synchronize with the SaaS application.

Certificate issues

If you are using federation-based single sign on, make sure that the Azure Active Directory certificate is updated in the SaaS application. To do this, follow these steps:
  1. Sign in to the Azure classic portal by using an administrator account.
  2. On the Active Directory tab, select your directory.
  3. Select the Applications tab, and then select the application that must be changed.
  4. On the Quick Start tab (represented by the blue cloud icon), select the Configure single sign-on button.
  5. Select Microsoft Azure AD Single Sign-On, and then select Next.
  6. On the Configure App Settings screen, select Next.
  7. Follow the instructions on the Configure Single Sign-on screen to update the certificate that's used by your application. Make sure that you select the confirmation check box and complete the final screen when you are finished.

Note Certificates typically expire after one, two, or three years. Certificates must be updated in all SaaS applications.
Properties

Article ID: 2909701 - Last Review: 07/14/2016 17:18:00 - Revision: 6.0

Microsoft Azure Cloud Services

  • kbexpertiseinter kbprb kbsurveynew KB2909701
Feedback