Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Random Characters or Incorrect Username When Using Entra ID (Azure) for SAML

  • Updated

Description

When using Entra ID (formerly Azure AD) as the SAML identity provider (IdP), or when using SAML with Shibboleth backed by Azure AD, you might see random characters or unexpected strings as the SAML username after being authenticated with Access Server, as seen in this screenshot:

This happens when the NameID Format isn't configured on the Azure IdP side. Without this setting, the IdP sends a randomly generated string as the SAML username in the SAML assertion response.

How to verify

You can confirm this by turning on SAML debug mode on Access Server and checking the SAML assertion response:

  1. Connect to the console and get root privileges.
  2. Open the Access Server configuration file for editing: 
    nano /usr/local/openvpn_as/etc/as.conf
  3. At the bottom, add this line: 
    DEBUG_SAML=1
    Save and exit by pressing Ctrl+x, then y
  4. Restart the Access Server service: 
    service openvpnas restart
  5. Attempt SAML authentication again.
    • The Access Server logs will display the SAML assertion response, including the NameID Format used by the IdP.

Example SAML assertion responses

  • This is an example of SAML Assertion Response sending the incorrect SAML Username (Wn3CowFFKdgsMDN0wooJtJRBrnWMT8POicrnB8iUSCk) without any value (unspecified) configured in the "NameID Format": 
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Wn3CowFFKdgsMDN0wooJtJRBrnWMT8POicrnB8iUSCk</NameID>
  •  This is an example of SAML Assertion Response sending the incorrect SAML Username (brandon@openvpn.com)with the correct value (emailAddress) configured in the "NameID Format" (unspecified): 
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">brandon@openvpn.com</NameID>

Solution

Update your Azure IdP configuration to use the emailAddress format:

  1. In Azure, open your SAML application.
  2. Go to Attributes & Claims.
  3. Under NameID Format, set the value to emailAddress.
  4. Save your changes and test authentication again.

 

If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.