AADSTS50107: Requested federation realm object ‘username@domain.com’ does not exist.

I was recently working on an Office 365 environment with the following characteristics:

  • Federated authentication
  • Multiple top level domains
  • Multiple sub domains

When adding multiple top level domains,  you are required to use the SupportMultipleDomain switch when converting the domains to federated. This allows each domain to authenticate to Office 365 successfully.

When adding sub domains, you may find you get the following error when trying to authenticate:

STSError

A quick google of the error turns up some posts to help solve the error:

This was a great starting point, we tried to implement the modified claim rule but unfortunately still had the same error. After a bit more digging, I wanted a way to test this safely without impacting production services a second time, and ended up finding this RegEx editor. Extracting the RegEx from the customised claim rule allows you to find the match that will be passed as Issuer URI back to Office 365. The item below shows the extracted RegEx from the blog post above.

^((.*)([.|@]))?([^.]*.(com|net|co|org)(.\w\w)?)$

This lets you start matching and modifying the RegEx to ensure the rule will be successful when implemented in production. The screenshots below show some examples of this. Note: sub domains should pass the top level domain as Issuer URI. This contains a lot more information on multiple domains and sub-domains.

Success/Match

Group #4 shows the value that will be passed back to Office 365 based on the RegEx above. If your claim rule is slightly different you should be able to figure out which group is the one that will be used for the claim.

Example1Example2

Example5

Fail/No Match

Example3

This lets you start modifying the RegEx until you find a match, meaning when implemented in the claim rule, it will pass the valid Issuer URI to Office 365.

Example4

Example6

My particular issue in this case was making the RegEx match both “domain.wa.edu.au” and “sub.domain.edu.au”, it was definitely handy having this in place to test it before implementing in production!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s