Page Loop Issue with Dynamics CRM 2016 SP1 and IFD

Hello,

I have a CRM2016 SP1 deployment that uses IFD and PingFederate.

I have managed to install the corresponding certificates and configure IFD, but when I connect to CRM, I get redirected to PingFederate. My User is found and validated and I get as an answers from Ping a valid SAML token (I can only suppose it is valid),  where my Email and UserName is to be found.

In the CRM trace, it Looks strange to me that the organization is found, but the user SID is missing in the SQL query (exec p_GetCrmUserId 'c2dc245c-65b2-e611-80c6-005056a185b1', 'W:'). This means to me that the SAML token could not be read correctly by CRM (or is in a wrong Format).

Did anyone see something like this?

Could anyone give me some ideas what could go wrong here ?

Thank you in advance!

CRM Trace:

>MapOrgEngine: Retreived the OrgId[{C2DC245C-65B2-E611-80C6-005056A185B1}] for URL[https://myApp.corp/default.aspx].
[2017-03-14 14:37:14.445] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   18 |Category: Shared |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | CrmDbConnection.Open  ilOffset = 0x2E
>ConnectionString: Data Source=SqlSrv\INSTPCH4,51436;Initial Catalog=MSCRM_CONFIG;Integrated Security=True;Min Pool Size=2;Connect Timeout=150;Workstation ID=myWStation.w3wp.
[2017-03-14 14:37:14.445] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   18 |Category: Platform.Sql |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | CrmDbConnection.InternalExecuteReader  ilOffset = 0x1C
>exec p_GetCrmUserId 'c2dc245c-65b2-e611-80c6-005056a185b1', 'W:'
[2017-03-14 14:37:14.461] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   18 |Category: Exception |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | CrmException..ctor  ilOffset = 0x9
 at CrmException..ctor(String message, Exception innerException, Int32 errorCode, Boolean isFlowControlException, TraceCategory traceCategory)  ilOffset = 0x9
 at CrmException..ctor(String message, Exception innerException, Int32 errorCode)  ilOffset = 0x6
 at Exceptions.ThrowIfEmpty(String value, String parameterName)  ilOffset = 0x1A
 at ClaimsUtility.GetSecurityIdentifier(ClaimsPrincipal principal)  ilOffset = 0x23
 at ActiveDirectoryUserInformation.MatchExistingUser(ClaimsPrincipal principal, Guid organizationId, String userAuth)  ilOffset = 0x2B
 at ClaimsIdentityAuthorizationManager.DoRecognizeUser(ClaimsPrincipal principal, Guid organizationId, Guid& userId)  ilOffset = 0x68
 at ClaimsIdentityAuthorizationManager.CheckAccess(AuthorizationContext context)  ilOffset = 0x1A1
 at CrmSessionAuthenticationManager.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)  ilOffset = 0x17F
 at WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request)  ilOffset = 0x141
 at WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)  ilOffset = 0x1D
 at CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)  ilOffset = 0xC0
 at SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  ilOffset = 0x5D
 at HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  ilOffset = 0x15
 at ApplicationStepManager.ResumeSteps(Exception error)  ilOffset = 0x10A
 at HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)  ilOffset = 0x5C
 at HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)  ilOffset = 0x16A
 at ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)  ilOffset = 0x4B
>Crm Exception: Message: Expected non-empty string., ErrorCode: -2147220989, InnerException: System.ArgumentException: Expected non-empty string.
Parameter name: userPrincipalName
[2017-03-14 14:37:14.461] Process: w3wp |Organization:c2dc245c-65b2-e611-80c6-005056a185b1 |Thread:   18 |Category: Platform.Authentication |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | ClaimsIdentityAuthorizationManager.CheckAccess  ilOffset = 0x1A1
>HostName:  myApp.corp, UserId: {00000000-0000-0000-0000-000000000000}, Context: ClaimsIdentityAuthorizationManager.CheckAccess(), Exception details: Microsoft.Crm.CrmArgumentException: Expected non-empty string. ---> System.ArgumentException: Expected non-empty string.
Parameter name: userPrincipalName
   --- End of inner exception stack trace ---
   at Microsoft.Crm.Exceptions.ThrowIfEmpty(String value, String parameterName)
   at Microsoft.Crm.Authentication.Claims.ClaimsUtility.GetSecurityIdentifier(ClaimsPrincipal principal)
   at Microsoft.Crm.Authentication.ActiveDirectoryUserInformation.MatchExistingUser(ClaimsPrincipal principal, Guid organizationId, String userAuth)
   at Microsoft.Crm.Authentication.ClaimsIdentityAuthorizationManager.DoRecognizeUser(ClaimsPrincipal principal, Guid organizationId, Guid& userId)
   at Microsoft.Crm.Authentication.ClaimsIdentityAuthorizationManager.CheckAccess(AuthorizationContext context)
[2017-03-14 14:37:14.461] Process: w3wp |Organization:c2dc245c-65b2-e611-80c6-005056a185b1 |Thread:   18 |Category: Platform.Authentication |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | AuthenticationTelemetryUtilities.LogException  ilOffset = 0xAE
>HostName: myApp.corp, UserId: {00000000-0000-0000-0000-000000000000}, Context: InnerException of Microsoft.Crm.CrmArgumentException, ClaimsIdentityAuthorizationManager.CheckAccess(), Exception details: System.ArgumentException: Expected non-empty string.
Parameter name: userPrincipalName
[2017-03-14 14:37:14.461] Process: w3wp |Organization:c2dc245c-65b2-e611-80c6-005056a185b1 |Thread:   18 |Category: Platform.Authentication |User: 00000000-0000-0000-0000-000000000000 |Level: Info |ReqId: fa1e4464-e6b4-4328-8493-2d053a31cdee | CrmAuthorizationUtility.HandleAuthenticationException  ilOffset = 0x3B
>AccessDenied. HostName: myApp.corp, UserId: {00000000-0000-0000-0000-000000000000}, Context: CrmAuthorizationUtility.HandleAuthenticationException() failed with Microsoft.Crm.CrmArgumentException: Expected non-empty string. ---> System.ArgumentException: Expected non-empty string.
Parameter name: userPrincipalName
   --- End of inner exception stack trace ---
   at Microsoft.Crm.Exceptions.ThrowIfEmpty(String value, String parameterName)
   at Microsoft.Crm.Authentication.Claims.ClaimsUtility.GetSecurityIdentifier(ClaimsPrincipal principal)
   at Microsoft.Crm.Authentication.ActiveDirectoryUserInformation.MatchExistingUser(ClaimsPrincipal principal, Guid organizationId, String userAuth)
   at Microsoft.Crm.Authentication.ClaimsIdentityAuthorizationManager.DoRecognizeUser(ClaimsPrincipal principal, Guid organizationId, Guid& userId)
   at Microsoft.Crm.Authentication.ClaimsIdentityAuthorizationManager.CheckAccess(AuthorizationContext context)
   at Microsoft.Crm.Authentication.Claims.CrmSessionAuthenticationManager.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie).