Jul 07 2017
- last edited on
Jul 24 2020
I am having issues getting WS-FED SSO working between our ID provider solution (ForgeRock Identity) and the O365 platform.
I have succesfully configured O365 with our ForgeRock domain and set it as a federated sign in. I have added a test user to the O365/AzureAD and have an equivalent user in our ID platform, with identical UPN and GUID values.
I have also set the WS-FED claims to send GUID as the 'immutable value' and the the UPN as name-ID.
However when we try a federated sign in, we get the below error:
Correlation ID: 97a24147-748f-458b-9c4c-4c2eca9df121 Timestamp: 2017-07-07 10:24:26Z AADSTS51004: To sign into this application the account 3e95c26f-6759-4dcf-81b5-2fe6f727622b must be added to the 661d88d5-4341-4f09-b435-e5c92c5ad753 directory.
I have checked the test user and the user GUID (3e95c26f-6759-4dcf-81b5-2fe6f727622b) detailed in the error message is correct and that user is in the AzureAD directory (661d88d5-4341-4f09-b435-e5c92c5ad753) so I am not sure why we are getting this error.
Can anyone help?
Jul 07 2017 10:34 AM
ForgeRock Identity is not on the Azure AD federation compatibility list, so it has not been validated to work with Office 365.
That said, you can try following this ForgeRock OpenIDM and Office 365 post, which links to scripts they are developing for integration. Keep in mind, it's a work in progress and is only supported by ForgeRock.
Jul 10 2017 02:54 AM
Hi Jeff. Thanks for the reply.
I am aware ForgeRock is not 'officially' supported, but given that WS-Fed is a standard that our FR platform can use, I am hoping we can get it working anyway!
Unfortunately I don't have access to stash.forgerock.org so I cannot see the details, however would I be correct in assuming that the IDM > AzureAD connector mentioned in that thread would be required to allow user provisioning?
We do not want to enable provisioning. We simply want to do SSO authentication. Do you know if this connector is still required for this use case?
Jul 10 2017 07:47 AM
I have no personal experience with ForgeRock, but it would be up to the IDM to provide support for Azure/O365 connectivity. So basically, if ForgeRock says it needs the connector, then it does.