Requirement: Want to certify our custom STS implementation to federate with Azure Active Directory. Followed steps given in the doc "STS Integration Paper using WS-* Protocols - Federation with Azure Active Directory".
To test the custom STS implementation, I have a desktop Lync 2013 active client (uses Microsoft Online Services Sign-In Assistant), which tries to authenticate the user against custom STS with a federated domain in Azure AD.
Issue: Custom STS sends RSTR with SAML1.1 token in response to Lync's RST. But then the request (RST) from Lync client to https://login.microsoftonline.com/RST2.srf end with fault response as "Provision is needed before federated account can be logged in".
I did follow the suggestions from these forum links 1 & 2, where custom STS sends SAML token with ImmutableID and objectGUID value as "4BNAbdFMKEe5xCw5iY2tYQ==" for the authenticated user.
Note: In Azure AD, the test user is mentioned as Sourced From "Microsoft Azure Active Directory" and no directory synchronization between Azure AD and on-prem directory exist.
Am I missing any vital step custom STS implementation or in the user creation/ configuration? Please suggest your inputs.
Found the solution: Since no directory sync exist, I created a new user at Microsoft Azure Active Directory and the custom STS sends SAML token with ImmutableID and objectGUID with value in Base64 solved the issue. So basically follow this link, if anyone encounter same issue.