Symptoms
Followed : http://help.k2.com/kb001636
Designer Authenticates fine
Runtime throws an error as below
Sorry, but we’re having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: b0920ce9-ef19-42e6-9fa0-5a5sdfsdfad4e
Timestamp: 2015-06-11 19:10:12Z
AADSTS70001: Application with identifier https://denallix/Runtime/ was not found in the directory 79762414-1af0-4210-8461-ebee9086446b
Azure AD SMO's created successfully
Diagnoses
In analysing the configuration, we found that multi-tenant was not enabled in Azure AD. We began troubleshooting by attempting to enable this feature.
In Azure AD, in order to enable multi-tenant, the domain being used must be verified. The verification process entails adding the domain to the "Domains" page of azure AD. Verification requires that the domain end in a valid domain extension (.net/.com), and we must be able to add a MX or TXT record with a value specified by Azure AD, which presumably azure then checks after DNS has propogated.
Resolution
In this case, this verification was not possible. In a normal configuration, we would set the hostname appropriatley, and add the DNS record, once verification was complete, we could enable multi-tenant and then proceed with the normal documented manual configuration. As this was not possible, an alternate configuration was provided by labs which used the configuration of three seperate applications, one for designer, runtime, and viewflow.
We created three seperate applications in Azure AD, one for each site. We made note of the client ID and client secret values for each site. The values for Reply URLs differed from the official documentation and can be found below:
Designer:
https://denallix/designer
https://denallix/identity/token/oauth/2
Runtime:
https://denallix/runtime
https://denallix/identity/token/oauth/2
Viewflow:
https://denallix/viewflow
https://denallix/identity/token/oauth/2
At this point, we configured oauth resources for each of these sites, using the clientID and client secret values previously recorded. No change to the issuing STS was needed, as the thumbprint is valid for all tokens issued by the AAD STS. Mappings also were unaffected.
Once the resources were configured, we were able to sucessfully authenticate to all sites.