This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

AADSTS50107: Requested federation realm object 'http:/<Identity Router FQDN>/' does not exist when trying to access the Microsoft Azure portal for RSA SecurID Access

Article Number

000038149

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud
Product Name: Microsoft Office 365
Product Description: WS-federation integration with SecurID Access

Issue

When trying to access the Microsoft Azure portal, the user tries to login and the portal returns the following error:
 
 AADSTS50107: Requested federation realm object 'http://<Identity Router FQDN>/' does not exist.

On the cloud admin user event monitor, the user is authenticated successfully using the password but still not being able to login to Microsoft Azure.

Cause

This issue is usually caused by mismatched configuration from either the Microsoft Azure side or on the application side for the cloud admin.

Resolution

  1. Check the WS-federation configuration on the Azure side through Windows PowerShell by running the command below:
Get-MsolDomainFederationSettings –DomainName $domain | Format-List *
Image descriptionImage description
  1. Compare all the output of the configuration with the configuration of the application on the cloud admin side.
Image descriptionImage description

The difference could be a very minor between the URI on both sides and can be as simple as an extra backslash at the end of the URI.  For example, in the strings below, the first IssuerUri is on the Microsoft side:
IssuerUri                              : http://<Identity Router FQDN>.com
Note the difference with the IssuerUri on the cloud admin side: 
IssuerUri                              : http://<Identity Router FQDN>.com/
  1. Change the URI on either side so that they match each other.
  2. Make sure all other URIs also match on both sides 

Notes

For more information, see the Microsoft Office 365 - WS-Federation SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:41 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.