I know this has been covered before, but I am still experiencing problems, problems that are a showstopper for my project )-:
What I am trying to do is the following:
An external user is invited as a guest user in our Azure Active Directory.
Thist guest user is made a member of an Azure AD group that is a member of the 'Site Visitors' group of a Sharepoint site that hosts the widget and where the add-in is installed.
Because it is a testing environment this group also gives access to the site where helpdesk is installed.
The url where the widget is hosted is published in the user's 'MyApps' portal (Azure AD application proxy).
The user is prompted for login so no SSO and trying to login with the right credentials fails.
Helpdesk site:
https://contosocom.sharepoint.com/sites/ICTSandbox/Erik/Helpdesk
Widget url
https://contosocom.sharepoint.com/sites/ICTSandbox/Erik/HelpDeskWidget
The widget app is intstalled and trusted at the https://contosocom.sharepoint.com/sites/ICTSandbox//HelpDeskWidget level.
This site has separate permissions. The group the user belongs to has access.
Security is set on the level of https://contosocom.sharepoint.com/sites/ICTSandbox
The guest account can acces this site.
The guest account can even access the ICTSandbox/Erik/Helpdesk site and use the helpdesk.
The widget site however keeps prompting for login, even after interacting with the helpdesk site.
When using my own
account (set up as agent) it works fine.
In the production environment we would set it up like:
https://contosocom.sharepoint.com/HelpDesk
https://contosocom.sharepoint.com/HelpDeskWidget/Widgetpage.aspx
Different sites and different access rights and groups. But I would like to have a Proof Of Concept up and running before doing that.
