Users are not redirected back to SAML application after authenticating to the RSA SecurID Access Application Portal during SP-initiated SAML workflow.
Originally Published: 2021-09-15
Article Number
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Issue
The following message is displayed to the end user in the Application Portal:
Application appears to be improperly configured. Contact your Administrator for assistance.
The URL displayed in the end user's browser looks like:
https://portal.sso.example.com/WebPortal/error.html?singlepoint-auth-error=DENY&singlepoint-portal-event=auth-failed&singlepoint-error-message=You+are+not+authorized+to+use+this+IdP+connection.+If+you+think+this+is+in+error%2C+please+see+your+SinglePoint+administrator."
The identity router's symplified.log shows the following message for the user's attempt:
INFO com.symplified.service.appliance.idp.IdPServlet[91] - Authorization denied by IdP service:
com.symplified.service.appliance.idp.AssertionCreationException: DENY
at com.symplified.service.appliance.idp.IdPService.createAssertion(IdPService.java:402)
at com.symplified.service.appliance.idp.IdPServlet.doPost(IdPServlet.java:78)
at com.symplified.service.appliance.idp.IdPServlet.doGet(IdPServlet.java:59)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
Cause
The following are examples of Request URLs that include the idp_id=<Issuer Entity ID> value.
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>and
https://portal.sso.example.com/IdPServlet?idp_id=<Issuer Entity ID>&SAMLRequest=<encoded AuthnRequest>
To check whether or not the idp_id=<Issuer Entity ID> value is being included in the Request URL, a capture of the browser traffic can be done while recreating the issue. Once the browser traffic has been captured, look for the Request URL that the user is redirected with from the SAML app to the Application Portal to see if the idp_id=<Issuer Entity ID> is included in it.
Resolution
Workaround
Notes
- View the Identity Router System Log from the Cloud Administration Console
- Generate and Download the Identity Router Log Bundle
- View the /var/log/symplified/symplified.log file within the log bundle.
Related Articles
The RSA SecurID Access Cloud Authentication Service rejects signed SP-initiated SAML requests with an HTTP Redirect binding Number of Views Users cannot authenticiate to the RSA SecurID Access Portal or protected applications using Microsoft Integrated Windows A… Number of Views Error: Principal does not possess one or more authenticators when using RSA SecurID Access Authenticate app tokencode with… Number of Views Access policy is not enforced for some users in RSA Cloud Authentication Service Number of Views New PIN cancelled for user and request originated from agent messages when authenticating with RSA Authentication Manager Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to Download OTP Token Seed Files from myRSA RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
