After switching from Azure IDP to Duo IDP and got error "HTTP Error 404. The requested resource is not found." or "Application is unreachable Please contact your Administrator" upstream connect error or disconnect/reset before headers. reset reason: connection timeout"
This was working previously with the following setup:
Azure IDP with Azure SCIM Import to Umbrella
2 Private Apps, 2 Groups with each app a member of one groups
What changed?
Deployed Client Based Access and switched IDP to Duo to test on prem identities. Removed users from Azure SCIM and then enabled Umbrella on prem AD connector. Able to pass authentication and get the error after passing MFA.
IDP logs or Secure Connect logs both show success and no blocks.
Troubleshooting steps taken (Incognito browser mode):
Removed Duo IDP (AD as the underlying identity store), and added back Azure as my IDP.
Disabled on prem Umbrella connector and added users back to Azure SCIM and confirmed users groups appear in Secure Connect. Tested app access and get the same error or application not available.
Removed/re-added private applications, app groups, Browser Access Rules, same error.
Can confirm private apps reachable on internal network and private hostname resolvable with no issues.
Removed/re-deployed site tunnels using Auto VPN from Secure Connect to Umbrella twice and tried different regions same error.
Configured ZTNA for same apps using a different ZTN solution to isolate between ZTN solution, (Azure App Proxy) and worked with no error then removed it to avoid conflict on Secure Connect Clientless Access but same error in Secure Connect
Validate Application Certificate Disabled (Enabled did not work previously but also not needed just wanted to note it here)
Protocol same https Server Name Indication
Logs have not been helpful because error is not related to authC or authZ.