question

George-8117 avatar image
0 Votes"
George-8117 asked George-8117 commented

Federated login stopped working

I have a test AzureAD which was federated with a PingFederate instance. This was working for a while and tried logging into it with a test user today after several months but getting a strange error
27634-screenshot-2020-09-24-at-175043.png

The flow starts from login.microsoftonline.com, which (after domain discovery) redirects you to PingFederate for login. PingFederate performs user validation and sends the SAML response correctly back to Azure (Subject is the objectGUID, UPN is the userPrincipalName and ImmutableID is the objectGUID).

The user exists and the ImmutableID matches the ObjectGUID. See below:
27635-screenshot-2020-09-24-at-165004.png

I have removed federation, deleted the federated users (permanently), re-federated and re-synced the users but no luck. I have also created a new user in AD for federation and that also comes up with the same error.
I've also tried manually changing the ImmutableID with Set-MsolUser but didn't make a difference.

azure-ad-connectazure-ad-authentication-protocols
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered George-8117 commented

Are there any special characters in that UPN?

In Azure AD a user is normally authenticated by the UPN attribute and in the error message it's showing those weird special characters and not the name that you are querying.

Here is the list of allowed and not-allowed special characters.

28221-image.png

If this is the problem, there is an open feature request for this issue. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16849114-aad-usernames-need-to-support-all-character-sets

Right now the workaround is to rename the UPN.



image.png (72 B)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thats the objectGUID (ImmutableID) which shows there. I'm sending the objectGUID as the ImmutableID. It's also in the SAML Subject and the TOKEN_SUBJECT.

Is there a way to configure Azure not to use ImmutableID to search the user but rather UPN?

0 Votes 0 ·

never mind I found it. Needed to flag the objectGUID as a binary attribute

1 Vote 1 ·