Troubleshooting SSO (oAuth2)
Table of contents
- oAuth2 Error messages
- Troubleshooting Wizard
It could happen that you receive an error during sign in of the Workspace. There are several possible reasons for this. This article will discuss these scenarios and help you to troubleshoot SSO. You can use the Wizard for further troubleshooting and to check your configuration.
The Azure Gaph will go offline in June next year. We have moved from the Azure Graph to the Microsoft Graph entirely. In your current SSO app registration, you can change the Azure Gaph API permissions to Microsoft Gaph (if not already configured). More information on how to change these permissions manually, click here.
oAuth2 error messages
The state received from the authority server is invalid
2020-01-20 11:05:56.430 WARN  w365support uid(null) NDAW.Html.Front.OAuth2.OAuth2StateService - Given authentication state's issued date `1/20/2020 8:14:33 AM` is older then `00:05:00` from now `1/20/2020 10:05:56 AM`
This could be happening if the request state is older than 5 minutes or the request state is invalid.
- State is older than 00:05:00 (5 minutes)
- Requested state is wrong/reused
State is older than 00:05:00 (5 minutes)
If you navigate to the workspace with oAuth2 configured, you will be redirected to the Authority (Azure AD or, if it's a federated domain, to the ADFS). The oAuth2 protocol demands a request state from the application (Workspace 365). In this case, the request state is the exact time of the redirect to the Authority. When you are redirected and you're not completing the sign-in process within these 5 minutes, the request state is older than 00:05:00 (5 minutes).
It happens occasionally when you have set the workspace as start page and the user is not signing in within this time frame.
Requested state is wrong/reused
If you navigate to your workspace URL e.g. https://stable.workspace365.me/w365support you will find out that you are redirected to the sign in page of your Authority. In this case, the SSO application created in Azure AD.
Occasionally, users bookmark this page. In the current URL (listed below) the request state is included. Every time they open the bookmark, they will be prompted that the request state is invalid.
- If you are using Windows 10 with an Azure AD joined device, you can benefit from the full Single Sign-On experience by using Edge as browser or by installing the Windows 10 Accounts extension in Chrome.
- Click 'Retry'.