Forum Discussion
SSO from PingOne to Entra app failing; Not matching on sub value and can't find by email
I am trying to implement SSO from PingOne to my Azure app I have registered in Entra External ID. When I don't have the PingOne account pre-provisioned, the sign-in flow provisions the account but with a bad value for the "Issuer" (the tenant id is incorrectly appended to the end of the issuer URL). This leads to a AADSTS500208 error. If I use Graph API to pre-provision the user with the proper "Issuer" URL, I get a message on the Entra prompt that says "Account Already Exists. Click next to sign in". Clicking Next gives the following error message:
We couldn't find an account with this email address
1 Reply
Seems related to an issuer mismatch and subject claim misalignment. The error AADSTS500208 typically occurs when the federated identity provider (PingOne) sends a sub or issuer value that does not match what Entra expects, leading to provisioning failures or duplicate account conflicts.
https://learn.microsoft.com/en-us/answers/questions/5662929/external-identities-saml-federation-not-working-fo
https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/external-id/customers/faq-customers.md
