How to resolve Invitation Redemption failed error in a B2B SAML Federation scenario with OKTA

Steve Wedge 31 Reputation points
2024-05-02T14:42:15.65+00:00

I am currently testing the integration of OKTA as a SAML federated service, with Entra, for B2B guest access. This is a prelude to an urgent live deployment requirement that I have for a client. I have created an OKTA developer account, configured the SAML IDP application & added users to the OKTA environment. I then configured the SAML/WS-Fed Identity Provider in Entra and once that was correctly set up I invited a Guest user, on the domain associated with the federated provider entry, using the create a Guest user process.

When I follow the URL to redeem the invite I am taken to the OKTA log on page, where I enter the user creds which have been set up in OKTA. Once I sign in, I get redirected to a page on https://invitations.microsoft.com/ with the message

User's image

RequestId: b21264fa-c793-414d-bfa4-52766279a241

Correlation Id:53f33677-0363-4fee-a204-094a5a27e473

Timestamp:2024-05-02 13:08:11Z

I have researched this issue and can't find any obvious solutions. This article, https://learn.microsoft.com/en-us/answers/questions/12342/setup-of-g-suite-idp-for-saml-direct-federation-fo, suggests that there might be a problem with attribute mapping in OKTA, but if there is I can't find it.

Can anyone help me to resolve this ?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,679 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 4,780 Reputation points Microsoft Vendor
    2024-05-07T11:38:44.7733333+00:00

    Hi @Steve Wedge

    Thank you for posting this in Microsoft Q&A.I understand that you're getting Invitation Redemption failed error in a B2B SAML Federation scenario with OKTA.

    The Identities property for the guest user account in your directory is set to the host's organization domain until the guest redeems their invitation. After the B2B collaboration user accepts the invitation, the Identities property is updated based on the user's identity provider.

    Can you check Email claim was configured correctly or not. Email claim value must be

    [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress]

    This is a requirement for B2B Direct Federation claims: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#required-saml-20-attributes-and-claims

    Once the user clicks on redemption link it will authenticate the user profile with current IDP which is OKTA in our scenario, OKTA should return the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the SAML Response.

    If the issue still persists, I request you to capture fiddler logs with us to valid that.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    0 comments No comments