Login2.me Alternative
Arvilla Hardan
In most scenarios, users use their UPN (User Principal Names) to login to their accounts. However, in some environments due to corporate policies or on-premises line-of-business application dependencies, the users may be using some other form of sign-in.
For example, they can use their email ID for sign-in and it can be different from their UPN. This is particularly common in scenarios where their UPN is non-routable. Consider a user Jane Doe with UPN jd...@contoso.local and email address jd...@contoso.com. Jane might not be even aware of the UPN as she has always used her email ID for signing in. Use of any other sign-in method instead of UPN constitutes alternate ID. For more information on how the UPN is created, see Microsoft Entra UserPrincipalName population.
Active Directory Federation Services (AD FS) enables federated applications using AD FS to sign in using alternate ID. This enables administrators to specify an alternative to the default UPN to be used for sign-in. AD FS already supports using any form of user identifier that is accepted by Active Directory Domain Services (AD DS). When configured for alternate ID, AD FS allows users to sign in using the configured alternate ID value, such as email ID. Using the alternate ID enables you to adopt SaaS providers like Office 365 without modifying your on-premises UPNs. It also enables you to support line-of-business service applications with consumer-provisioned identities.
When Microsoft Entra Connect is provided details about AD FS environment, it automatically checks for the presence of the right KB on your AD FS and configures AD FS for alternate ID including all necessary right claim rules for Microsoft Entra federation trust. There is no additional step required outside wizard to configure alternate ID.
Update the AD FS configuration by running the following PowerShell cmdlet on any of the federation servers in your farm (if you have a WID farm, you must run this command on the primary AD FS server in your farm):
In the following example, you are enabling alternate login ID functionality such that your users with accounts in contoso.com and fabrikam.com forests can log in to AD FS-enabled applications with their "mail" attribute.
Windows version 1709 and above have updated the authentication logic to handle the Alternate ID scenario. In order to leverage the new logic, the client machines need to be updated to Windows version 1709 and above.
The office applications rely on information pushed by the directory administrator to identify the Alternate ID environment. The following registry keys need to be configured to help office applications authenticate the user with Alternate ID without showing any extra prompts.
When enabled, the alternate login ID feature is only available for username/password authentication across all the user name/password authentication protocols supported by AD FS (SAML-P, WS-Fed, WS-Trust, and OAuth).
When Windows Integrated Authentication (WIA) is performed (for example, when users try to access a corporate application on a domain-joined machine from intranet and AD FS administrator has configured the authentication policy to use WIA for intranet), UPN is used for authentication. If you have configured any claim rules for the relying parties for alternate login ID feature, you should make sure those rules are still valid in the WIA case.
When enabled, the alternate login ID feature requires at least one global catalog server to be reachable from the AD FS server for each user account forest that AD FS supports. Failure to reach a global catalog server in the user account forest results in AD FS falling back to use UPN. By default all the domain controllers are global catalog servers.
When alternate login ID feature is enabled, AD FS tries to authenticate the end user with alternate login ID first and then fall back to use UPN if it cannot find an account that can be identified by the alternate login ID. You should make sure there are no clashes between the alternate login ID and the UPN if you want to still support the UPN login. For example, setting one's mail attribute with the other's UPN blocks the other user from signing in with his UPN.
If one of the forests that is configured by the administrator is down, AD FS continues to look up user account with alternate login ID in other forests that are configured. If AD FS server finds a unique user objects across the forests that it has searched, a user logs in successfully.
You may additionally want to customize the AD FS sign-in page to give end users some hint about the alternate login ID. You can do it by either adding the customized sign-in page description (for more information, see Customizing the AD FS Sign-in Pages or customizing "Sign in with organizational account" string above username field (for more information, see Advanced Customization of AD FS Sign-in Pages.
2 A Managed identity infrastructure environment represents an environment with Microsoft Entra ID as the identity provider deployed with either password hash sync (PHS) or pass-through authentication (PTA).
I am clear on the 2 device limit for basic acocunts. I am also clear that the web now counts as a device. In working with a demo account (that is at the basic level) today that I use in order to train people on how to better use Evernote, I ran across an issue that I believe is a bug in how the device limitation is enforced and has resulted in me being locked out of the basic account all together. I can see how this would infuriate users.
I saw the warnings about a limit of 2 times (although, I don't think they are clear...despite reading them, I was certain I had one more device unsync/switch left this month,). However, my real issue is that when I reached the capacity limit by trying to log into web (while still logged into desktop), Evernote has now signed me out on both desktop, and the web, and won't let me back in to either.
I'm hoping it is a bug and someone can help me to re-access this account w/o having to pay. Happy to wait till the next month to once again change devices, but until then, I should still be able to access my account on 2 devices...right?
And, to clarify, I am also logged into this account on my Windows machine (which I'm sure Evernote sees as one of my devices). However, I still don't understand why I can't still get into this account using the Mac desktop (which I was logged into before trying to switch devices to the web). Frustrating for sure...
It appears that when they do this, they are blocking access on ALL devices (it logged me out of every device that it says I was logged into). And, it wouldn't let me log in, nor gave me directions on how to access my device management list.
I have accidentally removed a device from my EverNote account that I didn't mean to. And I cannot log in from that device any more. Every time I got an "error log in" message when trying to log in EverNote from that device.
EN as a company does not live from inhaling thin air - IMHO they are doing it right to review the setup of the plans from time to time. Free under the old rules was very open (no rules on how many unsyncs were allowed for example), and not enforced. They changed that.
It is another question whether the account access must be linked to the login into the web client, or handled separately. My impression is that it is actually handled separately now, but not in a transparent manner.
same issue; my wife has a free account and had her iPhone and iPad connected. We tried to use the web, and told it to disconnect the iPad (which she almost never uses). That's one. Then we went back to the iPhone, and it claimed there were too many devices. Same choices, so we again told it to disconnect the iPad -- which should have already been disconnected. Now she can't log in anywhere, and is told she's already used up her 2 chances to disconnect a device.
p.s. though the compare plans advertises the $70/year plan as "Keep home and family on track", it's really just for individuals (unless they think we're sharing a log/password). A true Family Plan would likely have kept us out of this mess.
Oh Thank you @Stacey Harmon!! You're a life saver! I was locked out of all devices as well but your link helped me. I can confirm this must be a bug in their coding. I was fine with only 2 devices but popping open a 3rd device shouldn't block me from the other 2 existing ones but yeah that's what happened. I could not even access on the web.
But I didn't get a valuable service "for nothing"...I paid for 9 years since installing EN in 2013. Of course I don't expect everything for free. My subscription just expired, then I got hit with this bug and locked out of all notes on all devices. Huge price increase and this was just the last straw. I used to tout the virtues of paid Evernote and sharing and I had my wife and a friend on paid for a while as well. I've seen it go continually down-hill since 2018 - just my opinion okay as a paid user no less. So I've seen the value drop, the price increased a lot, and other alternatives pop up that offer what I want for less. I experienced 2 bugs with the unsync limit locking me out so there is something to fix there.
Evernote did this to me today, but I only use two devices, have only ever used two devices, and I never use the web feature. It's a bug as far as I can tell; they kept kicking me out and making me unsync a device, until I was out of unsyncs and now I'm locked out.
Does anyone have any tips to get my notes back? I'm thinking I'm going to have to subscribe for a month, and move all my notes into some new notes app. I'm not sure though. That monthly price is too high to justify paying for this app.
e59dfda104