Question - Azure AD Saml cannot retrieve identity / incorrect saml attr's

Hello !

I am having an issue where my Saml has been configured with the values required and I have configured eramba according to the following post Question - SAML Configuration for Azure AD

When I try to auth with the saml connector I get the following in the authentication log.

 `FAILURE_IDENTITY_NOT_FOUND` for [N/A] on Main portal with errors: [0->User is authenticated successfully on IDP side] [1->We found email attribute in SAML response: <My full email address>]

It seems like the auth gets across but the arribute that eramba sends does not line up, I have tested the following:

  • Have configured azure AD with

Single sign on URL


Audience URI (SP Entity ID)


Default RelayState


Assertion Consumer Service (ACS)


Logout URL


  • Have tried with my login name and email along with any other aliases.

  • Have verified the saml app’s cert and metadata url by reconfiguring the azure enterprise app against another saml authed product I have.

I have a feeling I’m not far off the solution but overlooking something important, any input appreciated.

App ID


App Version


DB Schema Version



Nevermind, I think I have the error.

In the scenario of my companies AAD some login names are not equal to the primary email address (which already causes problems in other areas).

The SamlAuthenticator class relies on the email attribute so the response I am getting from AD does not line up and is most likely the source of the error, it also explains the N/A part in the message.

    protected $_defaultConfig = [
        'loginUrl' => null,
        'urlChecker' => 'Authentication.Default',
        'AuthObj' => null,
        'sessionKey' => null,
        'attributes' => [
            'email' => 'email',
        'fields' => [
            IdentifierInterface::CREDENTIAL_USERNAME => 'email',

i just love when techies do their job well - life so much easier this way!

1 Like