ZApp - Users are receiving a SAML 400 Error

When the authentication expires, users will click “Re-Authenticate” within the Private Access service of the ZApp. If the user logs out of the app, and logs back in, the error doesn’t show. It’s only when they select “Re-Authenticate”. This happens to only a handful of users. Not all.

Anyone experience the same issue?

I’ve not seen this problem before and we are using AAD.
What SAML provider are you using?

We’re using Okta. Thinking maybe the SAML assertion is timing out, but it only happens during the re-authentication. No issues when logging in to the app.

Currently the authentication timeout policy is set to 30 days. Okta spits out the Failed SAML Request 400 Error. The thing is that after clicking “re-authenticate” , the okta prompt for username and password isn’t presented. It goes straight to the Failed SAML Request.

Correction. Users see a “400 Bad Request” error.

The workaround is to have the users log in and log back out of the Zapp.

The behavior suggests the Okta SSO process is being sent through ZPA, resulting in an authentication loop - ZPA is capturing the traffic for reauthentication and asking it to reauthenticate, too. Is Okta setup to perform transparent authentication using IWA/IIS?

Sorry I’m arriving late to the party, have you turned off the option to sign SAML request? I had the same issue but recalled a comment about this in one of the docs, turned off and Boom, all working