SAML/WS-Fed IdP federated user can acess azure ad application without add guest user in userlist

siva testuser 1 Reputation point
2022-11-23T19:30:58.537+00:00

Once SAML/WS-Fed IdP federation is configured with an organization, does each guest user( which already authenticated external idp )need to be add or sent and redeem an individual invitation?

steps

configure okta federation using SAML in azure ad successfully ->login with okta user credential -> successfully authenticated and returned azure -> if we do not add okta user id in azure user list deny the access of application

is there any way to access application without add guest user? because okta is already authenticated the user

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,566 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee
    2022-11-25T08:43:07.62+00:00

    @siva testuser

    Usually, guest user has to get provisioned in Azure AD tenant for application access. This can either be done via invitation or adding guest user directly or by redeeming an individual invitation.
    If there are lots of users that needed to be added as guest in Azure AD then you can make use of feature bulk invite Azure AD B2B users.
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite

    You can also make use of Self-service sign-up.
    When sharing an application with external users, you might not always know in advance who will need access to the application. As an alternative to sending invitations directly to individuals, you can allow external users to sign up for specific applications themselves by enabling self-service sign-up user flow.

    You can refer below articles to know about self-service sign-up and to configure the same.
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-overview
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-user-flow#before-you-begin
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/identity-providers
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation
    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Vignesh N 1 Reputation point
    2022-11-28T04:52:34.713+00:00

    @Sandeep G-MSFT Just to make it more clear,

    We have a P1 Premium license for Azure AD, We created an enterprise application.

    We would like to give access to this enterprise application to users from Okta and a separate Azure AD.

    We have a different account where a vendor has already set up the access in such a way that logging in to the enterprise application with Okta or a separate AD does not require a guest user to be created. We want to understand how this was done because the users in the Okta or the different AD can go above 10,000 and this means it is difficult for us to invite each of them or to provide an invite link to each of them.

    We have already checked the following scenarios

    1. Adding Okta as external identity provider
    2. Entitlement management and access packages with catalogues - we checked after changing the license to P2 premium but still did not work
    3. SAML configuration in the Enterprise application and checked by clicking the test button - Showed an error that a requested realm object http://www.okta.com/{random characters} does not exist
    4. Tried checking external collaboration settings - Did not work
    5. Self service sign up work flow does not support SAML/WS-Fed. It only supports AD, Google and Facebook
    6. Application assignments require a guest user to be already created. We don't want a guest user to be created at all (automatic or manual)

    The flow of the authentication is as follows
    User sees the login screen of the application > They click the "Login with SSO" option > This redirects the user to microsoft login page > User enters their email > Azure checks the domain of the email and redirects the user to their IdP appropriately >Okta users are taken to their organisation sign in page which is Okta and AD users are shown a window to enter their password > Okta users enter their email and password in Okta and logs in > Okta and AD users are taken to an error page which states that the logged in entity does not have access to the application and they should have a guest user created in that tenant

    The above is for a test AD account we created

    Due to some configuration in the production AD account, for a different Okta and AD, the guest users are not created but the authentication works correctly.

    Please let us know if there is any method to sign in to the application without creating guest users. This is already working in the production account, so we only need to know how it was done.

    Thank you

    0 comments No comments