![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 94%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint Server | For business
A family of Microsoft on-premises document management and storage systems.
Hi @L Le
I'm glad to hear you solve the problem ,if you have any issue about SharePoint, you are welcome to raise a ticket in this forum.
By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others.". and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:
Issue Symptom:
I have a SharePoint 2016 on-premises (single farm) configured for Azure AD SAML SSO. I followed the tutorial below and able to authenticate; however, I get an access denied message when I'm redirected to https://www.mydomain.com/_trust/ after authentication.
TUTORIAL URL
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial
ERROR MESSAGE
Access to www.mydomain.com was denied
You don't have authorization to view this page.
HTTP ERROR 403
I gave my test account full control access to my SharePoint root site collection, but no luck.
Current status:
These are the PowerShell cmds to check azure communication from the server level or any machine on which you want to implement Azure SSO.
Invoke-WebRequest -Uri "https://login.windows.net" -UseBasicParsing
Invoke-WebRequest -Uri "https://login.microsoftonline.com" -UseBasicParsing
Invoke-WebRequest -Uri "https://graph.microsoft.com" -UseBasicParsing
You could also do some trouble shooting according to this article:
https://azurecp.yvand.net/docs/help/troubleshooting/
After trying the methods above, it became clear it was a CORS problem. Adding https://login.microsoftonline.com to Lee's allowed origin CORS list resolved the issue.
You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks for your understanding!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.