Attempts to use Single Sign On (‘Sign in with Company Credentials”) to access Citrix Files may fail when Microsoft Azure is used as the iDP (identity provider).
Upon closer inspection, you may find errors similar to the following:
AADSTS50105: The signed in user ‘email@example.com’ is not assigned to a role for the application ‘ab12cd34-abcd-1234-0987-abcd43vf56567′(Citrix ShareFile).
This error can be seen despite the user being a member of the relevant Active Directory groups so as to be entitled to the role assignment. This membership can be seen when viewed via on-premises Active Directory. You may not be able to identify the same group membership when inspected via the Azure portal. When on the Azure portal, you may instead receive an error stating ‘Microsoft_AAD_IAM’.
Attempts to manually sign in (without using SSO) succeed.