I am setting up SAML with MFA (from Azure) on the UAG's and then TrueSSO to create the required AD credentials in order to log into horizon without any further user input.

The issue I face is in the AAD, the upn is for example frank@mydomain.com

But in the AD, the upn is frank@something.mydomain.com

After successful SAML & MFA auth, the connection servers fail to log on the user.

The documentation suggests there is a workaround

Identify an AD User That Does not Have an AD UPN

I followed the guide and put in the example, as this looked like it would use sAMAccountName, which in my case is the same 'frank' , however, this didn't make any difference.

Here is a sanitized bit of the log:

[SamlAuthFilter] (SESSION:e694_***_2097) Processing Saml Type-A Assertion

[SamlAuthFilter] (SESSION:e694_***_2097) SAML auth received a valid UPN: frank@mydomain.com

[WinAuthUtils] (SESSION:e694_***_2097) Sending UPN to winauth service: frank@mydomain.com

[ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1

[ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44)

com.vmware.vdi.broker.filters.FatalAuthException: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1

Can anybody suggest if what I'd like to is feasible, and if possible offer some suggestions on the pae-LDAPURLList filter from the documentation.