mcuziac-1206 avatar image
0 Votes"
mcuziac-1206 asked mcuziac-1206 answered

Guest AAD B2B user can not sign into custom app

I'm trying to build a custom app that uses Azure AD B2B to log users that are defined in multiple SAML Identity Providers.

I was able to add an Okta Idp and a guest user for that Idp. The user got the email and accepted the invitation - he was sent back to okta for signing in and everything seems to have worked ok.

He was later added to our custom app, but when he tries to sign in he gets an error message saying "This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."

Any idea what the issue might be?

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

in your title you say you're using b2c, but in your description you're saying you use b2b. Which one are you using?

AAD B2C and AAD B2B are not the same thing. If it is b2b, and if you can see the user in the AAD tenant, make sure that the username is correct and that the application's tenant id is correct. in addition to that can you please provide the request trace of the failure occurring? It will be difficult to determine what the issue is without the exact request that is causing the failure.

0 Votes 0 ·

Sorry, it should have been "B2B" everywhere.

I tried creating a new directory and starting from scratch. So here's the steps that I followed:

  1. Create a SAML App in Okta and download the metadata file

  2. In AAD / Organizational Relationships / Identity Providers click 'add a new SAML.WS-Fed Idp' (domain

  3. Go to AAD / Users / Add new Guest User and add

  4. Go to AAD / App Registartions / New registration (Multitenant / Client Application (Web, iOS, Android, Desktop+Devices))

  5. Go to AAD / All applications / My application / Users and groups / Add User and select the user previously created

  6. Go to the email received by the user and click on the accept invitation, login into okta. When being returned to MS I get an error.

Strangely enough, this worked on the previous try, meaning i was able to confirm the user, i only started getting the error when trying to use a sample c# project to log-in to the app.

0 Votes 0 ·

The error that i get is:

There was a problem with processing your request
support information

0 Votes 0 ·

Here are the settings that i used in Okta and Azure AD:


0 Votes 0 ·
1.png (212.0 KiB)
3.png (137.6 KiB)

I see, so when you say it "worked on a previous try" what does that mean? Is it only "not" working in the sample application? It could be that the application's scopes are different. In addition to that, there should have been an aadsts error thrown. Are you sure that's the only error being thrown in this b2b setup?

It should look like something similar to AADSTS50107: Requested federation realm object '' does not exist.

0 Votes 0 ·
Show more comments

Hello @mcuziac-1206

I'm following up on this again, can you please respond in regards to the last comments left?

- Frank Hu

0 Votes 0 ·

1 Answer

mcuziac-1206 avatar image
0 Votes"
mcuziac-1206 answered

Hi Frank

I was able to find the actual error hidden in the html traffic. It was related to Azure AD not being able to read the email from the OKTA Saml Response.
This seems to be caused by the fact that okta was not set up to send the email address as "".

I'm still trying to find a way of doing this in Okta, as there doesn't seem to exist an out of the box way of doing it; I can add it as a custom attribute, but the only formats that are available are Unspecified, Uri Reference or Basic


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.