Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with Entra ID directly is faild.

shishi9999
Confirmed Champ
Confirmed Champ

‎11-20-2025 09:36 PM

Hello,

we are now building a test environment to confirm functions of SSO with Entra ID.

First, On Entra ID, we set redirect uri as "https://alfresco/s/enterprise/admin/admin-systemsummary".
And create a secret.

Next, we set value as shown below

authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm
identity-service.auth-server-url=https://login.microsoftonline.com/[Tenant ID]/v2.0
identity-service.resource=[Client ID]
identity-service.credentials.secret=[created secret]
identity-service.public-client=false
identity-service.principal-attribute=user.userprincipalname
identity-service.client-id.validation.disabled=false
identity-service.realm=
---

Then, redirection to Entra Log-in page and authentication was succeeded, but decode JWT(JSON Web Token) is failed.

alfresco-1 | at java.base/java.lang.Thread.run(Thread.java:840) [?:?]
alfresco-1 | Caused by: org.springframework.security.oauth2.jwt.BadJwtException: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Invalid signature
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:184) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:138) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.alfresco.repo.security.authentication.identityservice.SpringBasedIdentityServiceFacade.decodeToken(SpringBasedIdentityServiceFacade.java:150) ~[alfresco-repository-25.2.0.64.jar:25.2.0.64]
alfresco-1 | ... 149 more
alfresco-1 | Caused by: com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
alfresco-1 | at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378) ~[nimbus-jose-jwt-9.37.3.jar:9.37.3]
alfresco-1 | at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303) ~[nimbus-jose-jwt-9.37.3.jar:9.37.3]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:158) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:138) ~[spring-security-oauth2-jose-6.3.9.jar:6.3.9]
alfresco-1 | at org.alfresco.repo.security.authentication.identityservice.SpringBasedIdentityServiceFacade.decodeToken(SpringBasedIdentityServiceFacade.java:150) ~[alfresco-repository-25.2.0.64.jar:25.2.0.64]
alfresco-1 | ... 149 more
 ---

Are there any possible causes for this issue? 
(It has been confirmed that the "Created Secret Value" is explicitly set to the same value on IdP.)

Labels:
0 Kudos
0 REPLIES 0
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2026 Khoros, LLC