Azure AD Guest User Error on K2 Five: Claim mapping configuration cannot be found for this claim

Issue

Guest Users in Azure Active Directory receive the following error when logging in to K2 sites via AAD:

Error Code

Claim mapping configuration cannot be found for this claim. Claim information: Name='', Issuer='https://sts.windows.net/{Your Azure AD Tenant ID}/', Original Issuer='https://sts.windows.net/{Your Azure AD Tenant ID}/'. Please ensure that you have configured the K2 server as specified in K2 Help: Installation and Configuration > Configuration > SharePoint > Claims-based Authentication

Resolution

Add a new claim for the AAD label by following the steps below:

1. Open the K2 Management Site and expand Authentication > Claims > Claims.
2. Click New on the Security Label view.
3. Select your Azure Active Directory label from the Security Label dropdown. 
4. Select your Azure Active Directory Issuer from the dropdown.
5. Check the Claim Type info box.
6. Leave the Name Identity Issuer text box empty.
7. Enter the User Token Identifier: i:0#.f|membership.
8. Enter the Group Token Identifier: c:0-.f|rolemanager.
9. For the Identity Provider > Original Issuer text box enter the Original Issuer value for AAD: https://sts.windows.net/{YourTenantID}/
10. For the Identity Provider > Claim Type text box enter http://schemas.microsoft.com/identity/claims/tenantid
11. For the Identity Provider > Claim Value text box enter your Tenant ID for AAD
12. For the Identity > Original Issuer text box enter the Original Issuer value for AAD: https://sts.windows.net/{YourTenantID}/
13. For the Identity > Claim Type text box enter the Claim Type value for AAD: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
14. Click on OK.

Related Links

https://help.nintex.com/en-US/k2five/icg/5.4/default.htm#Configure/SF/MultiAuthAAD.htm