Here is the warning that just recently started showing up in Azure for Captive Portal:
IDP-initiated flows can only have one identifier value. Please remove additional identifiers, or change this application to use SP-initiated SSO by configuring Sign on URL below.
I have two per cluster listed:
https://firewall-ent.mfa.company.com:6082/SAML20/SP
https://firewall-manf.mfa.company.com:6082/SAML20/SP
Followed these basic instructions: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltonetworks-captiveportal-tutorial
We had added many different firewalls, two per firewall and had no issue. All of the sudden, the above warning shows up and now I can no longer add or even edit.
I'm not sure what the issue is or how to "use SP-initiated SSO by configuring Sign on URL below" - is this even possible with Palo's?
Honestly I've not used azure for CP before, but I do have lots of GP enterprise apps that have gazillions (yes I'm looking at you Prisma access) of identifier urls. But isn't saml always an sp initiated sso?