Guest AAD B2B user can not sign into custom app

mcuziac 1

I'm trying to build a custom app that uses Azure AD B2B to log users that are defined in multiple SAML Identity Providers.

I was able to add an Okta Idp and a guest user for that Idp. The user got the email and accepted the invitation - he was sent back to okta for signing in and everything seems to have worked ok.

He was later added to our custom app, but when he tries to sign in he gets an error message saying "This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."

Any idea what the issue might be?

FrankHu-MSFT 976 Reputation points

2020-01-24T00:05:23.957+00:00

in your title you say you're using b2c, but in your description you're saying you use b2b. Which one are you using?

AAD B2C and AAD B2B are not the same thing. If it is b2b, and if you can see the user in the AAD tenant, make sure that the username is correct and that the application's tenant id is correct. in addition to that can you please provide the request trace of the failure occurring? It will be difficult to determine what the issue is without the exact request that is causing the failure.
mcuziac 1 Reputation point

2020-01-27T12:33:32.873+00:00
Sorry, it should have been "B2B" everywhere.

I tried creating a new directory and starting from scratch. So here's the steps that I followed:

Create a SAML App in Okta and download the metadata file

In AAD / Organizational Relationships / Identity Providers click 'add a new SAML.WS-Fed Idp' (domain =riv3.net)

Go to AAD / Users / Add new Guest User and add xiwenil117@riv3r.net

Go to AAD / App Registartions / New registration (Multitenant / Client Application (Web, iOS, Android, Desktop+Devices))

Go to AAD / All applications / My application / Users and groups / Add User and select the user previously created

Go to the email received by the user and click on the accept invitation, login into okta. When being returned to MS I get an error.

Strangely enough, this worked on the previous try, meaning i was able to confirm the user, i only started getting the error when trying to use a sample c# project to log-in to the app.
mcuziac 1 Reputation point

2020-01-27T12:34:49.673+00:00

The error that i get is:

There was a problem with processing your request
support information
CORRELATION ID:
WEU#d170c819-4ce1-44c3-998a-ef38a3bf5654
ERROR CODE:
0
mcuziac 1 Reputation point

2020-01-27T12:37:08.523+00:00

Here are the settings that i used in Okta and Azure AD:
FrankHu-MSFT 976 Reputation points

2020-01-28T02:18:14.297+00:00

I see, so when you say it "worked on a previous try" what does that mean? Is it only "not" working in the sample application? It could be that the application's scopes are different. In addition to that, there should have been an aadsts error thrown. Are you sure that's the only error being thrown in this b2b setup?

It should look like something similar to AADSTS50107: Requested federation realm object ' http://www.okta.com/xxxx' does not exist.
FrankHu-MSFT 976 Reputation points

2020-01-30T03:02:17.243+00:00
hello,

I'm following up on this could you please respond in regards to the last comment?

Thanks,

Frank Hu
FrankHu-MSFT 976 Reputation points

2020-01-30T22:51:23.86+00:00
Hello @mcuziac

I'm following up on this again, can you please respond in regards to the last comments left?

Thanks,

Frank Hu

1 answer

mcuziac 1 Reputation point

2020-02-04T11:44:36.79+00:00

Hi Frank

I was able to find the actual error hidden in the html traffic. It was related to Azure AD not being able to read the email from the OKTA Saml Response.
This seems to be caused by the fact that okta was not set up to send the email address as "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress".

I'm still trying to find a way of doing this in Okta, as there doesn't seem to exist an out of the box way of doing it; I can add it as a custom attribute, but the only formats that are available are Unspecified, Uri Reference or Basic

Mihai,
Please sign in to rate this answer.

0 comments No comments
Sign in to comment