Skip to main content
Solved

Microsoft Azure SSO - Can a guest account access Fresh apps via SSO?

  • January 12, 2022
  • 7 replies
  • 1263 views
smurfjoe
Apprentice

I’m having trouble getting Azure guest accounts get signed into my Fresh apps (Freshservice, Freshmarketer, Org Site).  Normal Azure users are able to use the SSO login but guest accounts are getting SAML errors and “ <USER> cannot be logged in as this user is not part of this organization”.

 

I came across another post that said the guest account needs to have Freshservice account as well.  I confirmed my guest user has a Freshservice requestor account.

 

Any ideas to resolve this would be appreciated.  Thanks!

Best answer by viswanatha.mehta

Hi @smurfjoe 

Azure Guest Users will be able to authenticate themselves via SAML SSO.


SAML SSO handshakes send a NameID that Freshservice uses to identify the User. Freshservice expects an email address as the incoming NameID.

This NameID claim can be found under Azure Enterprise Apps > Freshworks > Single Sign on > Box2


Ensure that the variable used as the source for the NameID claim has an email address in the Guest User’s profile. 

You can verify if the expected values are sent over as the NameID using a SAML Tracer browser extension. 

Reach out to us at support@freshservice.com if you need any assistance in this process. 

 

View original
    manns
    viswanatha.mehta
    2 people like this
    • manns
      manns
    • viswanatha.mehta
      viswanatha.mehta
    Did this topic help you find an answer to your question?

    7 replies

    viswanatha.mehta
    Community Debut
    Forum|alt.badge.img+4

    Hi @smurfjoe 

    Azure Guest Users will be able to authenticate themselves via SAML SSO.


    SAML SSO handshakes send a NameID that Freshservice uses to identify the User. Freshservice expects an email address as the incoming NameID.

    This NameID claim can be found under Azure Enterprise Apps > Freshworks > Single Sign on > Box2


    Ensure that the variable used as the source for the NameID claim has an email address in the Guest User’s profile. 

    You can verify if the expected values are sent over as the NameID using a SAML Tracer browser extension. 

    Reach out to us at support@freshservice.com if you need any assistance in this process. 

     

    Cheers, Vish | Delight Made Easy
    brad.dunn
    Community Debut
    • brad.dunn
    • Community Debut
    • 2 replies
    • January 19, 2022

    Yes you can. Our guests need to use a lightly different username. For this, its their <emailaddress> #EXT#@<MicrosoftTenantName>.

     

    e.g. brad.dunn_test.com#EXT#@test.onmicrosoft.com

     

    Have a look at the guest in Azure AD and go from there.

    viswanatha.mehta
    1 person likes this
    • viswanatha.mehta
      viswanatha.mehta
    H
    Skilled Expert
    Forum|alt.badge.img+4
    • HVH
    • Skilled Expert
    • 6 replies
    • June 24, 2022

    @brad.dunn where you able to register that emailadres for the requester in fresh. 

    Within FreshService it is not possible because the mailadress is not valid according to fresh.

     

    H
    Skilled Expert
    Forum|alt.badge.img+4
    • HVH
    • Skilled Expert
    • 6 replies
    • July 4, 2022

    Question to @freshsupport 

    Our Our AAD UPN is build by default like this:

    <emailaddress> #EXT#@<MicrosoftTenantName>

    Why isn't it possible to implement this adress in the Requesters field for Mail?

    I can't find any documentation about the allowed Characters in the field for Email.

    By experimenting I have found the following characters are not allowed, are these the only ones:

    1. { }
    2. # #
    3. [ ]
    4. “ “
    D
    Top Contributor
    Forum|alt.badge.img+2
    • DJL
    • Top Contributor
    • 9 replies
    • June 17, 2024

    Did this get get fixed or was a workaround found?

    H
    Skilled Expert
    Forum|alt.badge.img+4
    • HVH
    • Skilled Expert
    • 6 replies
    • June 20, 2024

    We changed the app claim, and login trough SSO functions works for our Guest Accounts!

    Samantha555

    SAML SSO handshakes send a NameID that Freshservice uses to identify the user, and it expects this NameID to be an email address. You can find the NameID claim under Azure Enterprise Apps > Freshworks > Single Sign-On > Box2. Ensure that the variable used as the source for the NameID claim contains an email address in the guest user's profile. To verify that the correct values are being sent as the NameID, you can use a SAML Tracer browser extension.

    Reply


    Most helpful members this week

    Terms of UsePrivacy Notice