Error: "Your organization could not sign you in to this service" trying to login to Office 365 with a non provisioned user

  • 7012557
  • 06-Jun-2013
  • 06-Jun-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 SAML2 Identity Server
Office 365 SaaS application in SAML2 trust relationship with NAM
Users manually created in Office 365 following documentation at https://www.netiq.com/documentation/netiqaccessmanager32/resources/office365.pdf

Situation

Access Manager Identity (IDP) server setup in a trust relationship with the Office 365 SAML 2 Service Provider (SP). Users manually created in both the user store and Office 365 SaaS environment (using Powershell), and these users can successfully single sign on to Office 365 environment after logging into the NAM IDP server.

If a users that have not been provisioned in Office 365 tries to access the Office 365 environment, the user will correctly be denied in Office 365 with the following error message:

"Your organization could not sign you in to this service.
There may be a system error. Please contact administrator at your organization if this problem persists.
Sign in with a different ID"

If the user then tries to login using a different username at this stage, that user will never successfully be able to login to Office 365 and keep getting the above message returned.

Resolution

Clear the cookies on the browser or logout of the IDP server manually (via the /nidp/app/logout URL) before clicking on the "Sign in with a different ID" office 365 link.

Cause

Since the browser has the valid cookie for IDP session, IDP redirects back to office 365 with the same assertion and ends up in the same result each time. Ideally, there should be a way to invalidate the IDP session cookies when Office 365 redirects to sign in with a different ID and a defect has been open to handle that scenario.