Entra ID to redirect to external IdP login page using the same domain as my Entra verified domain

Question

Entra ID to redirect to external IdP login page using the same domain as my Entra verified domain

Vladimir Petrov 0

Hello,

I have an Entra ID verified domain "test.com", also I have the same "test.com" domain in on-prem environment. my IdP is open text access manager. I want to get my users authenticated via my IdP instead of Entra. As far as I get it SAML/WS federation is used only for B2B or cross-tenant authentication. What should I configure in order to get my users authenticate via my IdP?

1 answer

Your answer

Answer 1

Anonymous

Hello @Vladimir Petrov,

Thank you for reaching out to Microsoft Q&A.

We understand that you have third party External Identity provider (open text access manager) and you have configured a Service in Entra ID, now you want the users who use third party External Identity provider access this Service which is configured in Entra ID.

To achieve this, you can make use of Azure AD B2B collaboration, so that users who are external to Entra ID can also access the application.

With this method, authentication is still handled by your IDP, but user will be able to access the application or services as their identity will get provisioned in Entra ID.

Azure Active Directory (Azure AD) B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your organization applications and services with external users.

With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities.

The partner uses their own identities and credentials, whether or not they have an Azure AD account.
You don't need to manage external accounts or passwords.
You don't need to sync accounts or manage account lifecycles.

You can refer the below article to know about and how you can configure it in Azure AD: https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b#manage-b2b-collaboration-with-other-organizations-and-clouds

As per your query the users using your identity provider, you will have to configure “Federation with SAML/WS-Fed identity providers for guest users”. You can refer below article to configure this,

https://learn.microsoft.com/en-us/entra/external-id/direct-federation

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks & Regards

Janaki Kota

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Vladimir Petrov 0 Reputation points

2025-02-07T09:12:19.9+00:00

It is not working for member accounts and I cannot invite them as guests as the domains are the same in Entra and on-prem. I think SAML/WS-Fed is not the right way to do this.
Anonymous

2025-02-07T13:59:29.1566667+00:00

Hello @Vladimir Petrov,

Thanks for the prompt response.

We are checking this internally. We will provide an update at the earliest.
Anonymous

2025-02-10T09:42:30.4433333+00:00
Hello @Vladimir Petrov,

To authenticate users via your IDP (OpenText Access Manager) instead of Entra ID, you need to configure integration between your IDP and Entra ID. This allows your users to be authenticated by your IdP and still gain access to resources and services in Entra ID.

Steps to configure Open Text Access Manager in Azure

To begin with you need to ensure your domain is listed as a verified domain. If not, you can add and verify it by following the below path.

Entra ID > Custom domain names.

Further, to route the users through OpenText Access Manager instead of using Entra ID authentication you need to enable federation for your domain as shown in the below document.

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0#example-1-configure-federation-settings-for-a-federated-domain

Later, you need to navigate to Entra ID > Enterprise applications > New application.

Select a non-gallery application and name it (e.g., "OpenText Access Manager").

Select Single sign-on from the left menu as shown below.

For SAML:

Configure Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Sign-on URL to the relevant values provided by OpenText Access Manager.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso

Hope this helps. Do let us know if you any further queries.
Anonymous

2025-02-11T11:48:49.08+00:00

Hello @Vladimir Petrov,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Vladimir Petrov 0 Reputation points

2025-02-11T13:02:15.5833333+00:00

I am getting :

New-MgDomainFederationConfiguration_CreateExpanded: Encountered an internal server error.

Status: 500 (InternalServerError)

ErrorCode: Service_InternalServerError

Date: 2025-02-11T12:46:02

when trying to federate the domain, it is our primary domain, would that be the reason maybe?
Vladimir Petrov 0 Reputation points

2025-02-12T07:43:46.4433333+00:00
I am also trying to setup a saml configuration via the portal I get different errors in GUI and in browser logs GUI:

Failed to add a SAML/WS-Fed identity provider.

Invalid domain test.com. Domain should match the passiveSignInUri. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl

LOG:

"message": "You cannot create a configuration with Fibank.bg domain as it is verified and managed in this tenant.",
Sanoop M 4,310 Reputation points Moderator

2025-02-12T21:16:34.7366667+00:00
Hello @Vladimir Petrov,

Thank you for your response.

Firstly, instead of trying with New-MgDomainFederation command which comes under Microsoft Graph PowerShell V1.0 to configure Federation settings, please use New-MgBetaDomainFederation command and follow the below document for your reference and check the behavior.

New-MgBetaDomainFederationConfiguration (Microsoft.Graph.Beta.Identity.DirectoryManagement) | Microsoft Learn

Based on the error what you are getting "Failed to add a SAML/WS-Fed identity provider".

Invalid domain test.com. Domain should match the passiveSignInUri. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl.

Please try adding the passiveSignInUri only in the domain DNS TXT record as mentioned below.

"DirectFedPassiveSignInUri=fed.mydomain.com

As per Step1

Check the partner's IdP passive authentication URL to see if the domain matches the target domain or a host within the target domain.

In other words, when setting up federation for fabrikam.com(For example)

If the passive authentication endpoint is https://fabrikam.com or https://sts.fabrikam.com/adfs (a host in the same domain), no DNS changes are needed.

If the passive authentication endpoint is https://fabrikamconglomerate.com/adfs** or **https://fabrikam.com.uk/adfs, the domain doesn't match the fabrikam.com domain, so the partner needs to add a text record for the authentication URL to their DNS configuration.

If DNS changes are needed based on the previous step, ask the partner to add a TXT record to their domain's DNS records, like the following example:

fabrikam.com.  IN   TXT   DirectFedAuthUrl=https://fabrikamconglomerate.com/adfs.

Please let us know the behavior after performing the above mentioned steps. I am looking forward to your response.
Anonymous

2025-02-14T12:25:29.96+00:00

Hello @Vladimir Petrov,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Vladimir Petrov 0 Reputation points

2025-02-14T12:32:36.4866667+00:00

Hello, It turned iut that it was due to some cache on microsofti side i guess... after a few hours with no attempts it worked with new-mgdomainfederation configuration. Thank you for the support.
Anonymous

2025-02-14T12:36:11.2+00:00

Hello @Vladimir Petrov,

Thank you for the update.

Please let us know if there is anything else I can help you with.

If the information helped to address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Anonymous

2025-02-17T08:40:48.36+00:00

Hello @Vladimir Petrov,

Please let us know if there is anything else I can help you with.

If the information helped to address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Share via

Entra ID to redirect to external IdP login page using the same domain as my Entra verified domain

1 answer

Your answer