Federated login stopped working

George 6 Reputation points
2020-09-24T17:00:08.63+00:00

I have a test AzureAD which was federated with a PingFederate instance. This was working for a while and tried logging into it with a test user today after several months but getting a strange error
27634-screenshot-2020-09-24-at-175043.png

The flow starts from login.microsoftonline.com, which (after domain discovery) redirects you to PingFederate for login. PingFederate performs user validation and sends the SAML response correctly back to Azure (Subject is the objectGUID, UPN is the userPrincipalName and ImmutableID is the objectGUID).

The user exists and the ImmutableID matches the ObjectGUID. See below:
27635-screenshot-2020-09-24-at-165004.png

I have removed federation, deleted the federated users (permanently), re-federated and re-synced the users but no luck. I have also created a new user in AD for federation and that also comes up with the same error.
I've also tried manually changing the ImmutableID with Set-MsolUser but didn't make a difference.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-09-24T22:30:00.857+00:00

    Are there any special characters in that UPN?

    In Azure AD a user is normally authenticated by the UPN attribute and in the error message it's showing those weird special characters and not the name that you are querying.

    Here is the list of allowed and not-allowed special characters.

    28221-image.png

    If this is the problem, there is an open feature request for this issue. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16849114-aad-usernames-need-to-support-all-character-sets

    Right now the workaround is to rename the UPN.