Nexeed
    • Introduction
    • User manual
      • Basic operation
      • Getting started
      • User
      • Groups
      • Roles
      • Organizations
      • Contracts
      • Modules
      • Identity providers
        • General Settings for the Identity Provider
        • Mapper Overview
      • Reports
      • Activity log
      • My Account
        • Overview: Login Tab
      • Configuration
        • Contents of the configuration file
        • How to work with the configuration file
    • Operations manual
      • Overview
      • System Architecture and Interfaces
      • System Requirements
        • macma/macma-webapp-backend
        • macma/macma-core
        • macma/macma-keycloak-mssql
      • Migration from Previous Versions
        • Migration to 1.37+
        • Migration to 1.34+
        • Migration to 1.33+
        • Migration to 1.32+
        • Migration to 1.31+
        • Migration to 1.29+
        • Migration to 1.28+
        • Migration to 1.27+
        • Migration to 1.26+
        • Migration to 1.25+
        • Migration to 1.21+
        • Migration to 1.20+
        • Migration to 1.19+
        • Migration to 1.18+
        • Migration to 1.17+
        • Migration to 1.16.0
        • Migration to 1.15.0
      • Setup and Configuration
        • Helm Configuration
        • macma/macma-core Configuration
        • macma/macma-keycloak-mssql Configuration
        • macma/macma-webapp-backend Configuration
        • Installation guide
        • Identity provider integration
        • Optional Configuration
        • Recommendations
        • Module Health Verification Endpoints and K8S Probes
      • Start and Shutdown
      • Regular Operations
        • Registering a new application in MACMA
          • Allowing application to use other applications
        • Change client secret of an application
      • Logging and Monitoring
        • Required Monitoring
        • Security Logging
          • Macma Security Events
          • Keycloak Security Events
          • Security Logging Format
        • Activity Logging
          • Activity Log Events
      • Known Limitations
        • Performance
        • General
        • Allowed characters and Internationalization
    • Developer documentation
      • Concepts
        • Authentication
        • Authorization
        • Resources
        • Roles
        • Sharing
      • Getting started
        • Registration
        • Authentication
        • Authorization
        • Multitenancy
      • How-to
        • Get & handle tokens
        • OAuth 2.0 for Mobile and Native Apps
        • Evolve authorization in your application lifecycle
        • Use Web Core for user login
        • Handle our integration events
        • Frequent How-To Questions for Application Developers
        • Do automated testing
        • Advertise things to colleagues
        • Integrate with additional environments
      • Deep dives
        • OAuth2 and its flows
        • OpenID Connect endpoints
    • Troubleshooting
      • Startup and availability
      • Identity provider integration
      • Resource deletion
      • Authentication
      • Authorization
    • API documentation
      • HTTP API
      • Event API
    • Glossary
Multitenant Access Control
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator

Nexeed Learning Portal
  • Multitenant Access Control
  • Troubleshooting
  • Identity provider integration
1.37.1 1.37.0

Identity provider integration

502 Bad Gateway on SSO

In the Multitenant Access Control UI select the particular identity provider and go to edit: Toggle 'Disable User Info'.

Login fails with identity provider using ClaimToGroup mapper fails after renaming / moving / deleting group

Symptom: Unexpected login failure after successful login at identity provider.
Diagnosis: If a group has recently been renamed, moved or deleted, the configuration of the ClaimToGroup mappers may have become inconsistent leading to errors during mapping the user’s information from the identity provider.
Treatment: Check correctness of Multitenant Access Control group references in the identity provider’s mappers inside Multitenant Access Control UI.

Azure Active Directory: Invalid client credentials

Symptom: After login, users are shown the login form again without any errors on screen.
Some users might be able to login.
Diagnosis: Azure Active Directory when connected via OpenID Connect may return
error=access_denied with
error_description="MSIS9622 Client authentication failed. Please verify the credential provided for client authentication is valid" when redirecting to MACMA. This error can be seen either in the Location header of the last request to the Identity Provider and might also be shown in the URL (see img-verifyCredentialProvided.

Even though the error seems to indicate wrong credentials between MACMA and Azure Active Directory it is really caused by the user not having a required security group.

Example: Screenshot of 'MSIS9622 Client authentication failed. Please verify the credential provided for client`

Screenshot of Please Verify credential provided

Username is not automatically mapped

Symptom: After login, users are shown the login form again requiring to fill in a username.
Diagnosis: When configuring the Identity Provider mappers, the following ID token claims can be used instead of 'upn' claim for displaying sign-in state to the user: 'preferred_username' or 'unique_name' for v1 tokens and 'preferred_username' for v2 tokens. Check the openid-configuration of the identity provider for the list of supported claims (e.g. https://stfs.bosch.com/adfs/.well-known/openid-configuration)

Identity provider login failure shown to user, unique database constraint violated

Symptom: The keycloak logs contain the message 'unique constraint (MACMA.CONSTRAINT_40) violated'. Unexpected login failure after successful login at identity provider is shown to the user.
Diagnosis: The problem is related to a changed client-id in the federation of the tenant. If the change was done on purpose (please investigate it) the solution is to delete the identity provider links for each user in that tenant.

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses