'objectGUID' is a value assigned when an AD user object is created. (Detail : Azure AD Connect: Design concepts | Microsoft Docs) In order for Azure AD to allow authentication, these two claims information in the ADFS token must match the information in Azure AD.Īzure AD Connect uses the 'objectGUID' (actually base64-encoded values are used) value among the properties of the AD user account to determine uniqueness between the AD account and the account synced to Azure AD. If you refer to the link below, you can find out what information is required when ADFS and Azure AD are connected.Īzure AD RPT Claim Rules | AD FS Help ()Īmong the claims of ADFS, the two most important things will be ‘Sign-in’ and ‘ImmutableID(=SourceAnchor)’ information. To solve this issue, we will still find the answer in ADFS. However, this user account will actually exist in Azure AD.
However, if you try to log on from the federation logon page, you will check an error message as shown in the figure below. If you have completed the 3rd party federation configuration with ‘Set-MsolDomainAuthentication’ powershell, you will be able to check that the logon page is redirected when you try to log on to Azure AD. For reference on which values can be used, you can check the configuration information by using Get-MsolDomainAuthentication powershell when connecting to ADFS. When using this PowerShell, information such as the DomainName, Sign-in Certificate and the URL to be used must be checked in advance.
Set-MsolDomainAuthentication (MSOnline) | Microsoft Docs After that, the federation connection can be set up manually using the powershell at the link below. Therefore, the "User Sign-in" method can only be " Do not Configure". How can we configure authentication redirection in the customer environment below?Īs you already know, it cannot be configured in the "User Sign-in" menu of Azure AD Connect.
Also, this 3rd party federation does not provide a wizard for authentication connection with Azure AD like ADFS, Okta and Ping Identity. This 3rd party solution has been around for a long time and the customer doesn't want to change the provisioning process at all. Sometimes customers want to implement redirection for Azure AD authentication with their IDP already in use.
0 kommentar(er)
