This topic tells you how to resolve common errors that arise when configuring a single sign-on partnership between Microsoft Entra ID, OpenID Connect (OIDC), and Single Sign‑On for VMware Tanzu Application Service.

Bad Request

Symptom

You see an error similar to the following screenshot:

The error message page reads, There was an error when authenticating against the external identity provider: 400 Bad request.

Explanations

Possible explanations are as follows:

  • This is a generic error. Review UAA logs for detailed information.
  • This error can occur when the app type is created as Native. Ensure you created your client in Microsoft Entra ID as Web App/API.
  • This error can occur when a response type other than code is used. Ensure you configure the response type to use code.

Cannot determine username from credentials supplied

Symptom

You see an error similar to the following screenshot:

The error message page reads, There was an error when authenticating against the external identity provider: Cannot determine username from credentials supplied.

Explanation

No value is mapped to the username used by Tanzu Operations Manager. Under the identity provider attributes, map the unique_name attribute to username

Azure Error for Reply Address

Symptom

You see an error similar to the following screenshot:

The error message on the sign in page reads: Sorry, but we're having trouble signing you in. We received a bad request.

Explanation

The reply URL is misconfigured. Ensure you entered your callback URL correctly as a reply URL in Microsoft Entra ID.

Login Page Cannot Be Found (404 Error)

Symptom

You see an error similar to the following screenshot:

The error message page reads: This login.windows.net page can't be found.

Explanation

The Authorization Endpoint URL might be incorrectly entered or not available. Ensure you correctly entered the authorization endpoint, and that the authorization endpoint is available to the end user.

Error authenticating against external identity provider: 404 Not Found

Symptom

You see an error similar to the following screenshot:

The error message page reads, There was an error when authenticating against the external identity provider: 404 Not Found.

Explanation

The Token Key URL might be incorrectly entered or not available. Ensure that you entered the token key setting correctly, and that the Token Key URL is available.

Error authenticating against external identity provider: Invalid issuer for token did not match expected

Symptom

You see an error similar to the following screenshot:

The partially redacted error message page reads, There was an error when authenticating against the external identity provider: Invalid issuer (redacted) for token did not match expected (redacted).

Explanation

The Token Key URL might be incorrectly entered. Ensure that you entered the issuer setting correctly.

Request Method ‘POST’ not supported (405 Error)

Symptom

You see an error similar to the following screenshot:

The error message page reads, HTTP Status 405 - Request method 'POST' not supported. Type: status report. Message: Request method 'POST' not supported. Description: The specified HTTP method is not allowed for the requested resource.

Explanation

This error can occur if you configure a response type that Microsoft Entra ID does not support, or is not enabled for the application, such as token or code id_token token. Ensure that you configure the response type to code.

Error authenticating against external identity provider: Some parties were not in the token audience

Symptom

You see an error similar to the following screenshot:

The partially redacted error message page reads, There was an error when authenticating against the external identity provider: Some parties were not in the token audience (redacted).

Explanation

The Relying Party Client ID might be incorrectly entered. Ensure you have correctly entered the relying party client ID setting.

check-circle-line exclamation-circle-line close-line
Scroll to top icon