Users signing in to Directory Server may receive a lack of license error from end applications, or may be sent to the self-registration page when all of the following conditions are met:
- A SAML identity provider that uses Active Directory as its back-end directory is registered in Directory Server.
- Users are being licensed in Directory Server as SAML users from this SAML identity provider.
- The back-end directory for the SAML identity provider is also directly registered as an identity provider in Directory Server.
- A user accidentally signs in using their Active Directory credentials on the STS page directly, instead of clicking on the SAML authentication button.
Cause
In the above scenario, the user will be signing in as an unlicensed Windows user, not as a licensed SAML user. Users may receive an error in the end application about not having a license, or be redirected to the self-registration page if that feature is turned on.
Resolution
To mitigate this problem, administrators can use the STS configuration page to hide Laserfiche and Windows authentication, if the only valid option is SAML authentication.