SSO login fails with "Authentication Failed!" error - unexpected SAML_USER value
56518
Created On 01/09/19 18:19 PM - Last Modified 02/21/24 09:42 AM
Symptom
After configuring SSO in Prisma Cloud, attempted login results in a "Authentication Failed" error. Additional information shows:
Either the user does not exist or (s)he does not have SSO login access.
Error occurred due to unexpected value of required field 'SAML_USER'.
Expected Value: 'available'.
Actual Value: 'unavailable'.
Example:
If Azure AAD is used for SSO, the error message would look like this.
Error occured due to unexpected value of required field 'SAML_CUSTOMER'
Environment
- Prisma Cloud
- SSO
Cause
The error message indicates that the Prisma Cloud user is not found. The root cause can be a number of things, but some of the common causes include:
- User does not exist in Prisma Cloud
- IdP is misconfigured. Prisma Cloud uses email address as username
- The Identity Provider Issuer URL is configured incorrectly on Prisma Cloud Console SSO settings.
- Prisma Cloud uses 3rd Party SSO like Azure SSO and User tried to access the Prisma Cloud console directly using the stack link like https://app.sg.prismacloud.io/
Resolution
User does not exist in Prisma Cloud
- Login to Prisma Cloud
- Go to Settings (top-right, gear icon) > Users
- Create the user that failed the login
IdP is misconfigured. Prisma Cloud uses email address as username.
The actual steps depends on your IdP, but ensure that:- The Name ID format is email address
- The username is mapped to the user's email
Identity Provider Issuer misconfigured on the Prisma Cloud
Check if the Identity Provider Issuer is configured correctly on the Prisma Cloud SSO settings.
Settings > Access Control > SSO
For Azure AAD SSO Azure AD Identifier from Azure portal Application > Single Sign On is the equivalent of "Identity Provider Issuer" on the Prisma Cloud Portal.
| Azure SSO Portal | Prisma Cloud SSO Setting |
|---|---|
| Azure AD Identifier | Identity Provider Issuer |
| Logon URL | Prisma Cloud Access SAML URL |
| Logout URL | Identity Provider Logout URL |
Prisma Cloud SSO uses 3rd Party SSO
The error can also happen to random users if a third party SSO is used and the user had tried to use the direct link of Prisma cloud eg. app.sg.prismacloud.io to login at some point.
This will redirect the Paloaltonetworks provided SSO and it will fail.
However, this will be cached by the browser and thus even though the user uses the Third Party SSO link like Azure SSO provided app link, it will continue to land on the Paloaltonetworks provided SSO and continue to get the below error.
Error occured due to unexpected value of required field 'SAML_USER'1. Use a private browsing tab and use the 3rd party SSO app link and see if it works.
2. Clear the browser's cache.
3. Then go to the SSO app portal (eg. Azure SSO app or Okta app) and click on the Prisma Cloud Application added there.
Ask the users to never use the direct Prisma Cloud link like app.sg.prismacloud.io to access the Prisma Cloud console.
Always use the application link provided by the IDP (SSO provider)
Additional Information
In cases where the existing System Admin user accounts cannot be used and there is no way to add new user accounts, contact TAC.
TAC can request engineering to add a PaloAlto user to the Tenant who can then add more users to the Prisma Cloud Tenant.