/
Troubleshooting Azure SAML authentication failure

Troubleshooting Azure SAML authentication failure

This article describes how to fix Azure SAML authentication failures for a single user by changing group claim settings when the user is a member of many Azure AD groups.

LAST TESTED ON CHECKMK 2.4.0P1

Table of Contents

Related documentation

Overview

When using Azure SAML authentication with Checkmk, a single user may fail to authenticate while others can log in normally. This is usually caused by group claim configuration in Azure Active Directory, particularly when the user belongs to a large number of groups.

Problem

A single user consistently receives the error message Authentication failed during login, while other users authenticate without issues. The affected user is typically a member of a very large number of Azure AD groups, often more than 100. When the group claim is set to include all groups, the SAML assertion may become too large and cause authentication to fail.

Solution

  1. Open your Azure Active Directory.

  2. Search for Enterprise applications in the top search bar.

    image-20260122-103559.png

     

  3. Select the application used for Checkmk SAML authentication from the list. In this example, the application is named checkmk-app1.

    image-20260122-103632.png

     

  4. Click Single sign-on in the left-hand menu, then select Edit for Attributes & Claims.

    image-20260122-103758.png

     

  5. On the Attributes & Claims page, click on Add a group claim.

    image-20260122-103847.png

     

  6.  Change the group claim setting from All groups to Groups assigned to the application.

    image-20260122-103908.png

     

  7.  Save the configuration and ensure the required groups are assigned to the application.

After this change, the affected user should be able to authenticate successfully.

 

Related articles