Description: When connecting to Access Server via SAML authentication, you may encounter the following error:
Mismatch between provided username 'UserA' and username provided by SAML Identity provider 'UserB'
This means the username sent by the OpenVPN client doesn't exactly match the username received from the Identity Provider (IdP). Below are common scenarios that cause this error and how to resolve them.
Capitalization mismatch with SAML and Entra ID (formerly Azure)
You’re using Entra ID as your SAML IdP and attempting to sign in with a username that differs in capitalization from what’s configured in the IdP.
Example:
- Connection profile username:
BRANDON@openvpn.onmicrosoft.com - Entra ID username:
brandon@openvpn.onmicrosoft.com
This causes a mismatch even though the usernames are otherwise identical.
How to fix it
Check your Entra ID configuration and configure the "Claim Transformations" parameter to "ToLowercase/ToUppercase."
- Claim Transformations:
ToLowercaseorToUppercase
This ensures consistency in username formatting during the SAML login process.
Using a connection profile for a non-SAML user
You've set SAML as the default authentication system (under Authentication > Settings) but are using a connection profile for a PAM, LOCAL, RADIUS, or LDAP User.
Example:
-
Connection profile username:
test(a LOCAL user) -
SAML IdP user:
brandon.jimenez@openvpn.net
How to fix it
Use a connection profile that belongs to a valid SAML user allocated on your SAML IdP side and associated with your SAML application.
Using a connection profile from the wrong IdP
You're using SAML as the default authentication system (under Authentication > Settings) and using a SAML connection profile for a user from IdP1 (e.g., Google Workspace), but Access Server is configured for IdP2 (e.g., Okta):
Example:
-
Connection profile:
brandon-saml@openvpngsuite.dev(from Google Workspace) -
Configured IdP on Access Server: Okta
-
IdP user:
brandon.jimenez@openvpn.net
How to fix it
Ensure the following for your configuration:
- The user exists in the SAML IdP currently configured on Access Server.
- The connection profile is associated with the correct SAML application.
Using a server-locked profile with a non-existent SAML user
SAML is the default authentication system (under Authentication > Settings), you're using a server-locked profile, and you type a username that doesn't exist in your configured SAML IdP.
Example:
-
Server-locked profile: login attempt with
brandon-saml@openvpngsuite.dev -
Configured IdP: Okta (no such user exists)
How to fix it
When using a server-locked profile:
- Enter a valid SAML username from your configured IdP.
- Double-check that the user is associated with the correct SAML application.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.