I recently had the chance to work on Azure B2B access integration with ADFS (SAML consumed by SaaS applications) and this post is inspired by the quick fix applied to an issue I encountered in the middle of the process. Although this may look obvious in technical point of view, I’m quite certain that someone will find this handy and could save hours of troubleshooting.
When a B2B user (AAD registered guest) tries to access the ADFS signon URL (https://adfs.yourdomain.com/adfs/ls/idpinitiatedsignon), the following error received. I had the Azure AD App registered and configured to work with ADFS but, the error makes perfect sense here. It clearly says that “the application ID did not match the URN that was generated by ADFS.
“AADSTS700016: Application with identifier ‘<URN>’ was not found in the directory ‘<Tenant Id>’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant”
The Uniform Resource Name (URN) is a unique identifier assigned to our Enterprise SAML connection. This value is labelled as ‘”Federation service Identifier” in the ADFS server Federation service properties which is easy to find. The URN value apparently needs to be assigned to the App Registration.
ADFS Server –> Edit Federation Service Properties
To access the APP ID, select the Add an Application ID URI option in the Azure App.
Set the URN copied from the ADFS service properties. This is usually “HTTP”, not HTTPS.
No changes to the “Redirect URIs. Leave it with the IDPInitiatedSignOn page and hit save to apply the change.
And that’s it ! Azure App is now linked correctly with the ADFS service endpoint.
Microsoft Cloud Infrastructure Technical Journal 