This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 77%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Good morning,
I'm trying to get my SAML External Provider via Keycloak (Keycloak is IdP) up and running in govt cloud. I have configured Keycloak as an external provider following these instructions: https://learn.microsoft.com/en-us/entra/external-id/direct-federation
However, no matter what claims I send (or the NameID format I choose), I keep getting -
AADSTS50034: The user account [ENCRYPTED STRING] does not exist in the [tenantID] directory. To sign into this application, the account must be added to the directory.
Yes, the user is added as a guest to the tenant. I've also tried setting the username in Keycloak as the email registered in Azure as guest and the email in Keycloak set to the UPN from Azure - still no dice. What it seems like is happening is the initial handshakes are correct, but, the hand-off from guestconsent/set seems to be sending back garbage.
I have tried several SAML attributes (upn, objectidentifier, nameid, emailaddress) - none seem to really help me get across the finish line. Unchecking Signing Attributes and Signing Docs breaks the handshake, so one of them must be on (which one doesn't seem to affect).
Has anyone experience with setting up KeyCloak as IdP for Azure? Or, alternatively, can someone please confirm what SAML attributes I can set to force the user account to show up plaintext in order to complete the SSO sign-in?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Ahmed Mujovic,
Thank you for posting your query on Microsoft Q&A.
Based on your issue description, I understand that you are trying to get SAML External Provider via Keycloak (Keycloak is IdP) up and running in govt cloud. You have configured Keycloak as an external provider by following these instructions: https://learn.microsoft.com/en-us/entra/external-id/direct-federation
However, no matter what claims you send (or the NameID format I choose), you keep getting the below mentioned error.
AADSTS50034: The user account [ENCRYPTED STRING] does not exist in the [tenantID] directory. To sign into this application, the account must be added to the directory.
To move forward and further troubleshoot this issue, could you please provide the below mentioned details.
1.Could you please confirm your Microsoft Entra ID tenant type(whether it is Workforce tenant or External tenant).
2.Please note that if your Microsoft Entra ID tenant type is External tenant, then as per the document which you have followed for configuring Keycloak as an External Identity Provider, this feature is currently in preview for external tenants. Please refer to the below Screenshot for your reference.
3.Please confirm if your domain is verified or non-verified domain.
Federation with verified and nonverified domains
You can set up SAML/WS-Fed IdP federation with:
Note:
Currently, redemption order settings aren’t supported in external tenants or across clouds.
4.Please navigate to Microsoft Entra ID -> Users -> Under All users select the affected guest user and click Properties and provide us the screenshot.
I am looking forward to your response.
Hello @Ahmed Mujovic,
Thank you for your response.
Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.
We can connect offline and discuss further on this issue.
Hello @Ahmed Mujovic,
We haven’t heard from you on the last response and was just checking back to see if you could please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.
We can connect offline and discuss further on this issue.
It seems that you are encountering the AADSTS50034 error, which indicates that the user account does not exist in the Azure Active Directory (AAD) directory. Here are some key points to consider when configuring Keycloak as an IdP for Azure:
NameID should be the same as the user's ImmutableID in Azure. The IDPEmail should be the User Principal Name (UPN) of the user in Azure.NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistenthttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: This should contain the user's email address.user.localuserprincipalname is being used instead of user.userprincipalname.By ensuring that these configurations are correct, you should be able to resolve the issue with the SAML External Provider setup.
References: