Question

IEE authentication with ADFS using alternate UPN Suffix

  • 2 June 2021
  • 2 replies
  • 293 views
C
Rank
Userlevel 1
Badge +4

We can authenticate with Aurena and AurenaB2B without issue using ADFS (with single sign-on)…

We cannot complete the logon to the Enterprise Explorer Native app…

We use a number of alternate UPN suffixes in our Active Directory.  IEE will only authenticate users that have the base, default, domain name assigned in their UPN.  for example… the base domain is “@basedomain.net”, but my account uses “@publicdomain.com”.  when I authenticate via ADFS, using MyAccount@publicdomain.com, I receive an error from IEE “The user specified in the provided id token does not appear to be an active user in the system.”   If I authenticate with a user account that is assigned the base domain, like otheruser@basedomain.net, they can get right in…

Thought I would reach out to the community to see if anyone has ran into this before as we are not seeing a quick response from our Integration partner...

This topic has been closed for comments

2 replies

C
Rank
Userlevel 1
Badge +4

addendum:  Could it be that if there is a period to the left of the @ in a upn, that it fails?  I have one account that works (does NOT have a period to the left of the @), and a new account, using the same basedomain that fails with same error.  I am going to try removing the period from one of these new accounts and test that in a bit...

S
Rank
Userlevel 7
Badge +21

Hi @Carus_RGladhill,

 

it’s quite unlikely that the period is causing an issue as i’ve worked on multiple environments where the upn has a period in it (never say never though!).

Things can however get bit tricky when you have multiple upn aliases for users since you would need to know exactly what is returned in the access token in order for you to match that in the directory ID for the users. while there is no requirement for the all users to have the same UPN domain on the application side, each user id must have the correct UPN coming through in the tokens to match what is setup in the IFS user screen.

When in doubt, the best way to see what comes through in the token is to use Postman to get the access token and use a jwt decoder web site to see the decoded token values. 

Cheers.

 

Terms & ConditionsCookie settings