Resolving Azure SSO 'Unable to Validate IDP Assertion' Error in HCP Portal

Avatar
Eshant Arora
  • Updated

Problem

When trying to sign into the HCP portal with SSO configured for the HCP organization, you may encounter the following error message after entering your SSO email or after authenticating with Azure Identity Provider (IdP):

"Unable to validate the IDP assertion. Ask your administrator that the organization signing certificate is properly configured."

 

Cause

This error is typically caused by one of the following issues:

  1. Incorrect Certificate Uploaded: The wrong certificate might be configured in the receiving system (i.e., under HCP SSO settings).
  2. Expired Certificate: The IDP's signing certificate might have expired.
  3. Mismatched Certificate Details: The certificate details, such as fingerprint or issuer, might not match the expected values.

This error message indicates that the system cannot verify the digital signature on the SAML assertion received from Azure Identity Provider (IDP). This issue is likely due to an improperly configured certificate on the receiving system.

Solutions

Please validate the SAML settings in Azure and ensure that the attributes and claims match the guidance provided in the Azure Active Directory SAML SSO Configuration documentation.

 

Review the Certificate Configuration:

    • Ensure the correct signing certificate is uploaded in the HCP SSO settings.
    • Confirm that the certificate has not expired. If expired, replace it with a valid certificate. To create a new certificate you can follow steps outlined here
    • Check that the certificate details (such as the fingerprint or issuer) match the expected values configured in your HCP SSO settings. 

Update the Certificate: If the certificate is incorrect or expired, you need to upload the correct one in .base64 format under HCP SSO settings. The correct format should look like this:

-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Hgyd9Jv7ulJbB1Bv7hQ
...
R6t8kikpQRy9sqZy5jl8A=
-----END CERTIFICATE-----

After updating the certificate, users should be able to log in via SSO without any issues.

 

Note: If you are unable to update the certificate through SSO, you can log in via email/password identity(via owner or admin) in the HCP Organization and manually update the certificate under the HCP SSO settings.

Conclusion

The issue was caused by a certificate problem, preventing the request from being validated through the Azure IDP and resulting in the login error. After updating the certificate in the correct .base64 format, users can authenticate successfully via SSO. Ensuring the correct certificate is configured will resolve this error.

Articles in this section

See more

Related articles