asked on January 30 Show version history

I'm trying to configure SSO via Entra for an additional group of users authenticating from their own tenant. Cross-tenant collaboration is working and I have other Entra apps/registrations that are allowing me to grant SSO for those users from the other tenant into our applications.

I need to do the same for Laserfiche. The issue I'm having is that our primary domain and tenant are set up in LFDS (on-prem) and have been working with SSO for some time now. That Identity provider is linked to AD (which was used prior to SSO) domain SIDs are the unique identifier, I believe, to keep everyone's history the same. For the group from the other tenant, we don't have domain accounts or SIDs. User/group assignment in Entra works and authentication is granted via Entra, but LFDS responds with a single message on a black screen:

{"ErrorCode":null,"ShowReturnLink":true,"Error":true,"Message":"The identity provider may not be configured correctly.  Contact your administrator: Value was invalid.\r\nParameter name: sddlForm"}

I've been working on this tryinng to use the same Identity provider for Entra, and also trying a different Identity Provider enabled with SCIM for provisioning to LFDS. The provisioning even works, but something isn't matching up to deliver an authenticated session via Entra back into any of the Laserfiche apps that are requesting it. I can provide other details as needed.

While I have 2 Identity providers set up and there is no cross entries for users/groups on the associated Entra applications, both buttons let my domain account on, but neither lets my test from the other tenant on (error above). I would think this would have to do with the fact that both applications are coming from the same lfds server FQDN. I'm wondering if when the Entra apps return authorized, LFDS has no way to distinguish which application they're coming from and puts both to the first application, which is the original for our domain and tenant only linked with AD. I believe the error posted has to do with linking an Entra Identity Provider to an AD provider.

0 0