Solved

Microsoft Azure SSO - Can a guest account access Fresh apps via SSO?

3 years ago
January 12, 2022
7 replies
1263 views

smurfjoe
Apprentice

I’m having trouble getting Azure guest accounts get signed into my Fresh apps (Freshservice, Freshmarketer, Org Site). Normal Azure users are able to use the SSO login but guest accounts are getting SAML errors and “ <USER> cannot be logged in as this user is not part of this organization”.

I came across another post that said the guest account needs to have Freshservice account as well. I confirmed my guest user has a Freshservice requestor account.

Any ideas to resolve this would be appreciated. Thanks!

Best answer by viswanatha.mehta

Hi @smurfjoe

Azure Guest Users will be able to authenticate themselves via SAML SSO.

SAML SSO handshakes send a NameID that Freshservice uses to identify the User. Freshservice expects an email address as the incoming NameID.

This NameID claim can be found under Azure Enterprise Apps > Freshworks > Single Sign on > Box2

Ensure that the variable used as the source for the NameID claim has an email address in the Guest User’s profile.

You can verify if the expected values are sent over as the NameID using a SAML Tracer browser extension.

Reach out to us at support@freshservice.com if you need any assistance in this process.

View original

Did this topic help you find an answer to your question?

viswanatha.mehta
Community Debut
28 replies
Answer
3 years ago
January 19, 2022

Hi @smurfjoe

Azure Guest Users will be able to authenticate themselves via SAML SSO.

SAML SSO handshakes send a NameID that Freshservice uses to identify the User. Freshservice expects an email address as the incoming NameID.

This NameID claim can be found under Azure Enterprise Apps > Freshworks > Single Sign on > Box2

Cheers, Vish | Delight Made Easy

brad.dunn
Community Debut
2 replies
3 years ago
January 19, 2022

Yes you can. Our guests need to use a lightly different username. For this, its their <emailaddress> #EXT#@<MicrosoftTenantName>.

e.g. brad.dunn_test.com#EXT#@test.onmicrosoft.com

Have a look at the guest in Azure AD and go from there.

HVH
Skilled Expert
6 replies
2 years ago
June 24, 2022

@brad.dunn where you able to register that emailadres for the requester in fresh.

Within FreshService it is not possible because the mailadress is not valid according to fresh.

HVH
Skilled Expert
6 replies
2 years ago
July 4, 2022

Question to @freshsupport

Our Our AAD UPN is build by default like this:

Why isn't it possible to implement this adress in the Requesters field for Mail?

I can't find any documentation about the allowed Characters in the field for Email.

By experimenting I have found the following characters are not allowed, are these the only ones:

{ }
# #
[ ]
“ “

DJL
Top Contributor
9 replies
9 months ago
June 17, 2024

Did this get get fixed or was a workaround found?

HVH
Skilled Expert
6 replies
8 months ago
June 20, 2024

We changed the app claim, and login trough SSO functions works for our Guest Accounts!

Samantha555
1 reply
6 months ago
August 22, 2024

SAML SSO handshakes send a NameID that Freshservice uses to identify the user, and it expects this NameID to be an email address. You can find the NameID claim under Azure Enterprise Apps > Freshworks > Single Sign-On > Box2. Ensure that the variable used as the source for the NameID claim contains an email address in the guest user's profile. To verify that the correct values are being sent as the NameID, you can use a SAML Tracer browser extension.

Reply

Rich Text Editor, editor1

Reply

Related topics

Some things I have learned using the Fresh PowerShell Automation App

Correct Process to migrate from Basic Auth to OATH2icon

How do I mass-import contacts from ActiveDirectory?icon

Azure AD Orch - cloud vs on-prem group filteringicon

Freshservice SSO - Is my Azure Integration tied to my user account?icon

Most helpful members this week

Join the Community

Social Sign Up

Sign in to the Community

Social Login

Scanning file for viruses.

This file cannot be downloaded