Forum Discussion

Copper Contributor

May 16, 2018

Solved

Using ADFS and Azure AD Guests to authenticate external guests for internal SAML apps?

I know that it is possible to use Azure Application Proxy to do something like this. But if we have ADFS / WAP (2016), can we do this too? And how is the process? Do we have to back sync the ...

Azure AD B2B

Rishabh Srivastava
May 31, 2018
Hello Sven,

Yes it is possible.
You need to add Azure Active directory as a claim provider on ADFS, and ADFS as an application in AzureAD.

Check this it might help :-
https://www.youtube.com/watch?v=VIT6oL3Zhzg&t=12s

Regards,
Rishabh

Rishabh Srivastava

Iron Contributor

May 31, 2018

Hello Sven,

Yes it is possible.

You need to add Azure Active directory as a claim provider on ADFS, and ADFS as an application in AzureAD.

Check this it might help :-

https://www.youtube.com/watch?v=VIT6oL3Zhzg&t=12s

Regards,

Rishabh

Sven Bürger
Copper Contributor
Dec 06, 2018
Hi Rishabh,

thanks for the video. I could setup the claims provider with this.
I have one issue left. The guest user account from the azure ad get some weird Name ID Claim from Azure AD. I hoped I get some UPN or the logon name as the Name ID.

This is the NameID I get
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Qx7A-cgVG3o-D7qWLKKSjlrjijskdfjlKJSLKJJSLKJFw</NameID>

I can go around the issue by transforming the Email Claim as the Name ID for the target application. But I like to understand what AzureAD sends? I used the Get-AzureADUser but it isn't the ObjectId or any other Attribute I see on the User Account.

Regards,
Sven