Sample doesn't work with Hybrid Identity with Federated Authentication

[ghost]

[ForkJoinPool.commonPool-worker-3] INFO com.microsoft.aad.msal4j.HttpHelper - [Correlation ID: null] Sent (null) Correlation Id is not same as received (null). [ForkJoinPool.commonPool-worker-3] ERROR com.microsoft.aad.msal4j.PublicClientApplication - [Correlation ID: ] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed. com.microsoft.aad.msal4j.MsalServiceException: WsTrust endpoint not found in metadata document

[Avery-Dunn]

Hello @makushima : Just to be clear, are you having this error in the username/password sample or the integrated windows auth (IWA) sample?

IWA is meant for federated users so it definitely should work with hybrid identities, using your active directory credentials. I believe that username/password also works for hybrid users, though I think you need to use their Azure AD credentials (likely has an email ending with '.onmicrosoft.com') when using that flow.

[ghost]

No, I am trying username/password, not IWA. And I used Custom domain suffix. I will try onmicrosoft.com

[ghost]

Still doesn't work. It looks like AD FS server do not understand requests?

[Avery-Dunn]

Just to confirm, the 'onmicrosoft.com' user and the registered app are in the same tenant? And that tenant also has your Azure AD instance?

I've seen that 'Ws Trust' error occur when there's some mismatch between the tenant where the user was created (and has their Azure AD info) and the tenant where the app is registered, Unfortunately the backend server doesn't give us a lot of specific info about what went wrong when it sends us a response that doesn't have that WS trust info, so it's hard to know the exact issue here.

[ghost]

Yes, user and app registration are in the same tenant. I suspect there is some controls on AD FS server which prevents to authenticate. Test app with different flow also doesn't work...