You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IDPEmail: The value of this claim should match the user principal name of the users in Microsoft Entra ID.
287
287
NAMEID: The value of this claim should match the sourceAnchor or ImmutableID of the user in Microsoft Entra ID.
288
288
289
-
For more information, see [Use a SAML 2.0 identity provider to implement single sign-on](/previous-versions/azure/azure-services/dn641269(v=azure.100)).
289
+
For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On](/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp).
290
290
291
291
Examples:
292
292
This issue can occur when the UPN of a synced user is changed in AD but without updating the online directory. In this scenario, you can either correct the user's UPN in AD (to match the related user's logon name) or run the following cmdlet to change the logon name of the related user in the Online directory:
> \<domain_id> is a placeholder for your domain's name. For example, contoso.com.
319
319
320
-
You can also run the following tool to schedule a task on the AD FS server that will monitor for the Auto-certificate rollover of the token-signing certificate and update the Office 365 tenant automatically.
321
-
322
-
[Verify and manage single sign-on with AD FS](/previous-versions/azure/azure-services/jj151809(v=azure.100))
320
+
For more information, see [Renew federation certificates for Microsoft 365 and Microsoft Entra ID](/entra/identity/hybrid/connect/how-to-connect-fed-o365-certs).
323
321
324
322
- Issuance Transform claim rules for the Office 365 RP aren't configured correctly.
325
323
326
-
In a scenario where you have multiple TLDs (top-level domains), you might have logon issues if the Supportmultipledomain switch wasn't used when the RP trust was created and updated. For more information, see [SupportMultipleDomain switch, when managing SSO to Office 365](/archive/blogs/abizerh/supportmultipledomain-switch-when-managing-sso-to-office-365).
324
+
In a scenario where you have multiple TLDs (top-level domains), you might have logon issues if the Supportmultipledomain switch wasn't used when the RP trust was created and updated.
325
+
326
+
We recommend to use Entra Connect for managing the federations and the claim rules. This usually automatically configured ADFS and Entra appropriately. For more information, see [Multiple Domain Support for Federating with Microsoft Entra ID](/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains).
327
327
328
328
- Make sure that token encryption isn't being used by AD FS or STS when a token is issued to Microsoft Entra ID or to Office 365.
329
329
6. There are stale cached credentials in Windows Credential Manager.
0 commit comments