Users aren't able to start published items if their logon names were changed after configuring SAML in the environment.
Error Incorrect password or username is thrown:
However, users are still able to login using SAML and see published items.
Certificates created by Enrollment Servers are no longer valid for users that have changed logon names.
Please delete the old certificates. RAS Enrollment Servers will reissue them by themselves on the next user login.
1. Go to RAS Console → Farm → Enrollment Servers to see what Enrollment Servers do you have:
2. Switch to AD Integration tab to find the Enrollment agent credentials:
3. Login to each Enrollment server using the Enrollment agent credentials;
4. Launch Certificate manager (certmgr.msc) and go to Certificates → Personal → Certificates:
5. Delete the certificates issued to the affected users.
Please pay attention that every Enrollment server may has its own certificate for the affected user, so you need to check all of the servers and remove the certificates.
6. Affected users must log off from the farm and then login back. Certificates will be recreated and users will be able to start published items again.