000037406 - RSA SecurID Access O365 WS-Fed Authentication Fails Intermittently

Document created by RSA Customer Support Employee on Apr 26, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037406
Applies ToRSA Product Set:  SecurID Access
RSA Product/Service: Cloud Authentication Service
IssueWhen trying to access Office 365 seeing error:

Sorry but we're having trouble signing you in.

AADSTS20012: An error occurred when we tried to process a WS-Federation message.  The message was invalid.

CauseWhen multiple Identity Routers (IDRs) are configured behind a load balancer, internal IDR traffic can get sent to the load balancer and then on to a different IDR. 

This loss of session persistence can cause authentication failure.
WorkaroundCreate static DNS entries to map the load balancer hostname to each IDR's proxy IP address:
  1. In the Cloud Admin Console go to Platform > Identity Routers.
  2. For each IDR:
    1. Edit and go to the Settings tab
    2. Create a static DNS entry specifying the IDR's proxy interface IP address and the load balancer's DNS hostname.  Reference Step 13 of Add an Identity Router Using the Cloud Administration Console.
  3. Publish the changes.
NotesThe load balancer DNS hostname should be defined in the Platform > Clusters > Edit > Load Balancer DNS Name field.