Hi ,
Welcome to the Support Portal. How can we help?
Follow

Troubleshooting SSO (oAuth2)

 

Table of contents

 

Overview

It could happen that you receive an error during sign in of the Workspace. There are several possible reasons for this. This article will discuss these scenarios and help you to troubleshoot SSO. You can use the Wizard for further troubleshooting and to check your configuration. 

mceclip0.png
The Azure Gaph will go offline in June next year. We have moved from the Azure Graph to the Microsoft Graph entirely. In your current SSO app registration, you can change the Azure Gaph API permissions to Microsoft Gaph (if not already configured). More information on how to change these permissions manually, click here

 

oAuth2 error messages

The state received from the authority server is invalid

something_went_wrong.PNG

2020-01-20 11:05:56.430 WARN  [10] w365support uid(null)  NDAW.Html.Front.OAuth2.OAuth2StateService - Given authentication state's issued date `1/20/2020 8:14:33 AM` is older then `00:05:00` from now `1/20/2020 10:05:56 AM`

This could be happening if the request state is older than 5 minutes or the request state is invalid.

  • State is older than 00:05:00 (5 minutes)
  • Requested state is wrong/reused


State is older than 00:05:00 (5 minutes)

If you navigate to the workspace with oAuth2 configured, you will be redirected to the Authority (Azure AD or, if it's a federated domain, to the ADFS). The oAuth2 protocol demands a request state from the application (Workspace 365). In this case, the request state is the exact time of the redirect to the Authority. When you are redirected and you're not completing the sign-in process within these 5 minutes, the request state is older than 00:05:00 (5 minutes).

It happens occasionally when you have set the workspace as start page and the user is not signing in within this time frame. 


Requested state is wrong/reused

If you navigate to your workspace URL e.g. https://stable.workspace365.me/w365support you will find out that you are redirected to the sign in page of your Authority. In this case, the SSO application created in Azure AD.

pick_an_account.PNG

Occasionally, users bookmark this page. In the current URL (listed below) the request state is included. Every time they open the bookmark, they will be prompted that the request state is invalid. 

https://login.microsoftonline.com/w365support.onmicrosoft.com/oauth2/authorize?client_id=7c9fb7fe-5642-4809-be5d-9ad7d0a8934a&resource=7c9fb7fe-5642-4809-be5d-9ad7d0a8934a&response_type=code&redirect_uri=https%3a%2f%2fstable.workspace365.me%2fw365support%2fOAuth2%2fHandleAuthorityResponse&state=I2O-crv_rjp_GVVBWiliW4DWPsjDggCNtexUkp-6jTQ5W9ymMGg4BZVlJtjvJfZfshSPSn0A_MWgZ8B8Tegp0u7iktx3mq2Fl5rF-ZttASM4kMrx4nA2VJwWqBgQKeuuQ0-O-n6C58L3yYtX8AfiQfbzibhKmVcgCMdedEgfkyB1uGC4Lg3t8T3S4brGRwZMWo2HZhzixGgUr7bZT3tE_0vOpml7vrcmhYAs_lfR6wyHagFudi6UEOCMgoPb8XVpJYlIYfdocRqana7y5RcWiklhlKSABRqpwsRfsBQpluk1

Solution

  1. If you are using Windows 10 with an Azure AD joined device, you can benefit from the full Single Sign-On experience by using Edge as browser or by installing the Windows 10 Accounts extension in Chrome.
  2. Click 'Retry'. 

Back to top

 

Troubleshooting Wizard