This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 59%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
I am currently testing the integration of OKTA as a SAML federated service, with Entra, for B2B guest access. This is a prelude to an urgent live deployment requirement that I have for a client. I have created an OKTA developer account, configured the SAML IDP application & added users to the OKTA environment. I then configured the SAML/WS-Fed Identity Provider in Entra and once that was correctly set up I invited a Guest user, on the domain associated with the federated provider entry, using the create a Guest user process.
When I follow the URL to redeem the invite I am taken to the OKTA log on page, where I enter the user creds which have been set up in OKTA. Once I sign in, I get redirected to a page on https://invitations.microsoft.com/ with the message
RequestId: b21264fa-c793-414d-bfa4-52766279a241
Correlation Id:53f33677-0363-4fee-a204-094a5a27e473
Timestamp:2024-05-02 13:08:11Z
I have researched this issue and can't find any obvious solutions. This article, https://learn.microsoft.com/en-us/answers/questions/12342/setup-of-g-suite-idp-for-saml-direct-federation-fo, suggests that there might be a problem with attribute mapping in OKTA, but if there is I can't find it.
Can anyone help me to resolve this ?
OK, I see what the issue is, not sure I know the resolution yet, but this article , https://learn.microsoft.com/en-us/entra/external-id/user-properties#identities, shows that for Guest account Identities, for a federated domain, the property value should be the Issuer URI value "http://www.okta.com/ABCDEFGH123456789", but instead it is set as the host's domain "Domain.onmicrosoft.com".
I'd expect this to be set correctly against the Guest User account , the Entra B2B invitation email URL redirects to the Issuer URI, so the link between the Guest's domain and the federated identity has been recognised.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Steve Wedge
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Hi @Steve Wedge
Thank you for posting this in Microsoft Q&A.I understand that you're getting Invitation Redemption failed error in a B2B SAML Federation scenario with OKTA.
The Identities property for the guest user account in your directory is set to the host's organization domain until the guest redeems their invitation. After the B2B collaboration user accepts the invitation, the Identities property is updated based on the user's identity provider.
Can you check Email claim was configured correctly or not. Email claim value must be
[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress]
This is a requirement for B2B Direct Federation claims: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#required-saml-20-attributes-and-claims
Once the user clicks on redemption link it will authenticate the user profile with current IDP which is OKTA in our scenario, OKTA should return the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the SAML Response.
If the issue still persists, I request you to capture fiddler logs with us to valid that.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.