Skip to main content

I’m having trouble getting Azure guest accounts get signed into my Fresh apps (Freshservice, Freshmarketer, Org Site).  Normal Azure users are able to use the SSO login but guest accounts are getting SAML errors and “ <USER> cannot be logged in as this user is not part of this organization”.

 

I came across another post that said the guest account needs to have Freshservice account as well.  I confirmed my guest user has a Freshservice requestor account.

 

Any ideas to resolve this would be appreciated.  Thanks!

Hi @smurfjoe 

Azure Guest Users will be able to authenticate themselves via SAML SSO.


SAML SSO handshakes send a NameID that Freshservice uses to identify the User. Freshservice expects an email address as the incoming NameID.

This NameID claim can be found under Azure Enterprise Apps > Freshworks > Single Sign on > Box2


Ensure that the variable used as the source for the NameID claim has an email address in the Guest User’s profile. 

You can verify if the expected values are sent over as the NameID using a SAML Tracer browser extension. 

Reach out to us at support@freshservice.com if you need any assistance in this process. 

 


Yes you can. Our guests need to use a lightly different username. For this, its their <emailaddress> #EXT#@<MicrosoftTenantName>.

 

e.g. brad.dunn_test.com#EXT#@test.onmicrosoft.com

 

Have a look at the guest in Azure AD and go from there.


@brad.dunn where you able to register that emailadres for the requester in fresh. 

Within FreshService it is not possible because the mailadress is not valid according to fresh.

 


Question to @freshsupport 

Our Our AAD UPN is build by default like this:

<emailaddress> #EXT#@<MicrosoftTenantName>

Why isn't it possible to implement this adress in the Requesters field for Mail?

I can't find any documentation about the allowed Characters in the field for Email.

By experimenting I have found the following characters are not allowed, are these the only ones:

  1. { }
  2. # #
  3. i ]
  4. “ “

Did this get get fixed or was a workaround found?


We changed the app claim, and login trough SSO functions works for our Guest Accounts!


SAML SSO handshakes send a NameID that Freshservice uses to identify the user, and it expects this NameID to be an email address. You can find the NameID claim under Azure Enterprise Apps > Freshworks > Single Sign-On > Box2. Ensure that the variable used as the source for the NameID claim contains an email address in the guest user's profile. To verify that the correct values are being sent as the NameID, you can use a SAML Tracer browser extension.


Reply