SSO with Entra ID directly is faild.

shishi9999 — Fri, 21 Nov 2025 02:36:11 GMT

Hello,

we are now building a test environment to confirm functions of SSO with Entra ID.

First, On Entra ID, we set redirect uri as "https://alfresco/s/enterprise/admin/admin-systemsummary".
And create a secret.

Next, we set value as shown below

authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm
identity-service.auth-server-url=https://login.microsoftonline.com/[Tenant ID]/v2.0
identity-service.resource=[Client ID]
identity-service.credentials.secret=[created secret]
identity-service.public-client=false
identity-service.principal-attribute=user.userprincipalname
identity-service.client-id.validation.disabled=false
identity-service.realm=
---

Then, redirection to Entra Log-in page and authentication was succeeded, but decode JWT(JSON Web Token) is failed.

alfresco-1 | at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
alfresco-1 | Caused by: org.springframework.security.oauth2.jwt.BadJwtException: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Invalid signature
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:184) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:138) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.alfresco.repo.security.authentication.identityservice.SpringBasedIdentityServiceFacade.decodeToken(SpringBasedIdentityServiceFacade.java:150) ~[alfresco-repository-25.2.0.64.jar:25.2.0.64]
alfresco-1 | ... 149 more
alfresco-1 | Caused by: com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
alfresco-1 | at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378) ~[nimbus-jose-jwt-9.37.3.jar:9.37.3]
alfresco-1 | at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303) ~[nimbus-jose-jwt-9.37.3.jar:9.37.3]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:158) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:138) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.alfresco.repo.security.authentication.identityservice.SpringBasedIdentityServiceFacade.decodeToken(SpringBasedIdentityServiceFacade.java:150) ~[alfresco-repository-25.2.0.64.jar:25.2.0.64]
alfresco-1 | ... 149 more
---

Are there any possible causes for this issue?
(It has been confirmed that the "Created Secret Value" is explicitly set to the same value on IdP.)

topic SSO with Entra ID directly is faild. in Alfresco Forum

SSO with Entra ID directly is faild.