Summary: SSO providers often have specific characteristics that could lead to errors during login or initial setup. This is an example of a misconfiguration encountered when using Azure Active Directory (AAD).
Problem/Symptoms: After the initial setup (setting up the parameter in AAD and transferring the XML to Aqua Support), the user encountered this error:
AADSTS50105: Your administrator has configured the application <Aqua Application> to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'email@example.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
Solution: This issue could have been caused by the "Assignment required" parameter in AAD Aqua App settings:
If this option is selected, the user should manually add a group in the enterprise application in the AAD "Users and groups" section, even if JIT is enabled.
Related Information: https://support.aquasec.com/a/tickets/20819
Did you find it helpful?Send feedback