Forum Discussion
Using Google as IDP for O365
MicrosoftDo you have any error message to share?
Thank you for your response. Unfortunately no error message is generated. Unless I should be looking somewhere else for failure messages.
Best,
Jon
- Pié
Well, how do you know it doesn't work if there is no error message ;) If it fails at the Azure AD page, you should see a short message at the bottom in the "Additional information" section. Do you have anything there?
Maybe a fiddler trace might help... If you are willing to share one, ensure you remove sensitive information from it (like passwords or usernames).
Hi Pierre,
I've attached my Fiddler capture. I removed any entry that mentioned my user/domain/password. Hopefully you don't miss any of the interaction with this.
I do not see an additional information page. When logging in from portal.office.com I am returned to the login page with no status update. When logging in from portal.azure.com I get the following message:
Both do not seem to show any additional information.
Best,
Jon
- Pié
Your error message is on the frame 90:
AADSTS51004: To sign into this application the account must be added to the 123abc89-abcd-1234-1234-abcdabcd directory. Trace ID: d8f05825-16fa-4ea6-924b-63fdf34e0c00 Correlation ID: a58ee092-b0ee-40f2-902f-4863b19d6240 Timestamp: 2018-01-08 22:41:56Z
You don't have access with the account you specified in the NameID:
<saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">azure.test@contoso.com</saml2:NameID> ... </saml2:Subject>It seems that the NameID should have the immutable ID of the user you have provisionned in Azure AD. So what immutable ID did you use for the representation of that user? There is a bit more information here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp