When using PingID for Azure AD conditional access, "Guest" users receive an error from PingID: Error occurred during authentication with PingID. Try again.

When using PingID for Azure AD conditional access, "Guest" users receive an error from PingID: Error occurred during authentication with PingID. Try again.

Published: 12/17/2018

Problem Description:

When using PingID for Azure AD conditional access, "Guest" users receive an error from PingID: "Error occurred during authentication with PingID. Try again", as illustrated in the screenshot below. Users who actually belong to the Azure AD tenant do not receive any error.
A guest user is a user who doesn't actually belong to the Azure AD tenant, but is invited to the organization. This is common in the Azure B2B use case.
User-added image

Solution:

The reason for this error is that by default, PingID uses the upn value from the id_token_hint parameter in the OIDC request that comes from Azure AD. Guest users don't have a upn value so PingID will fail, because in this flow the username ends up being null.

This is an example of the body of an id_token_hint for a guest user:
{
  "aud": "f0fe68cb-82a9-4314-aa35-663701e94142",
  "iss": "https://sts.windows.net/e34b0d96-0f46-4f50-8108-226aeb7ea49e/",
  "iat": 1544198272,
  "nbf": 1544198272,
  "exp": 1544199172,
  "name": "jdoe",
  "oid": "7e672a71-9c06-48cc-a5a7-baab230ce8fa",
  "sub": "Blkzp7ShokhaRCqVcL38WdmhcVReq13ac4PDUms-lT0",
  "tid": "e34b0d96-0f46-4f50-8108-226aeb7ea49e",
  "unique_name": "jdoe@example.com",
  "ver": "1.0"
}

This is an example of the body of an id_token_hint for an 'internal' user in the Azure AD tenant:

{
  "aud": "f0fe68cb-82a9-4314-aa35-663701e94142",
  "iss": "https://sts.windows.net/e34b0d96-0f46-4f50-8108-226aeb7ea49e/",
  "iat": 1544202412,
  "nbf": 1544202412,
  "exp": 1544203312,
  "family_name": "Doe",
  "given_name": "Jane",
  "name": "Jane Doe",
  "oid": "b44fa72c-e772-4e14-a3b1-3cb4a701f219",
  "sub": "QwtzP0m52RbkHh4EukuOuzdWsWuHGeABUYJT0qVV3ok",
  "tid": "e34b0d96-0f46-4f50-8108-226aeb7ea49e",
  "unique_name": "jane@acme.com",
  "upn": "jane@acme.com",
  "ver": "1.0"
}

Notice that in both examples, the unique_name exists. In the case of the 'internal' user, this matches the upn. This means we can configure PingID to instead use the unique_name, and cover both of these use cases.

Note: It is recommended that the Azure AD Administrator confirms that the unique_name will always match the upn in your environment. If these contain different values, 'internal' users who have already completed the PingID Pairing will need to unpair and re-pair once this change is made.

You can verify what value is in the unique_name by examining the id_token_hint. It is included as a parameter in the request to PingOne's authorization endpoint. In order to view this, you can reproduce the flow that requires conditional access while tracing the transaction using a tool such as SAML Tracer or Fiddler. The screenshot below is taken from SAML Tracer. The id_token_hint is a JSON Web Token (JWT). There are many tools online that can decode a JWT so you can see the body.

User-added image

Once you're ready to make the change, login to the PingOne Web Portal at https://admin.pingone.com and follow these steps:
  1. Click Setup - > PingID.
  2. Click Client Integrations.
  3. Scroll to Integrate with Microsoft Azure AD, and click Edit.
  4. Click Next. 
  5. Change the username value to unique_name, and click Next.
  6. Click Done.
  7. Test the scenario with both an 'internal' and a 'guest' user account to ensure this flow now works without error.
Category:
PingID , 
KB or other URL: