This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 25%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
Hello - I'm having issues setting up SAML External Identity provider.
First, I found a bug: when I add a "Domain name of federating IdP" to an existing SAML Identity Provider, and that there's an error, the message is always:"Failed to add somedomain.com. Invalid passiveSignInUri somedomain.com. The passiveSignInUri should match the domain. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl=somedomain.com" (*where "somedomain.com" is the domain I tried to add)*This message is not correct -- the domain I'm trying to add is not the text of the TXT to use. The correct TXT entry that will work, must contain the "Passive authentication endpoint" (and it must be added to the zone file of the domain I'm adding, e.g. to the zone file of "somedomain.com" here).The strange part, is that the Portal API call returns the correct error: I can see it in the Developer tools of my browser, by looking at the received data, that the message is correct. It's the front-end of the portal that shows an incorrect message, even though it received the right message from the Azure API. See the screenshot (top, the UI of the Azure portal, with the incorrect message ; bottom, the developer tools, showing me that the correct message:
Object { code: "Request_BadRequest", message: "Invalid domain ASDFadfcs. Domain should match the passiveSignInUri. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl=https://sso.<mydomain>.org/realms/<myrealm>/protocol/saml.", innerError: {…} }
If I add a DNS TXT entry with the suggestion from the message I see in the portal UI, it doesn't work ; if I use the suggestion I see in the developer tools, it works. So really the portal UI is wrong.
Now, even after having debugged this problem I still can't get the SAML "custom" Identity provider to work, i.e. to be used when new guest users connect for the first time. This is for a a Sharepoint Online site (<mysite>.sharepoint.com), for guest users that have a "<myorg>.onmicrosoft.com" identity. What are the right values to put for the domain ?
In particular, I'm wondering if the "Domain name for the federated IdP" must match the Identity of the users ("myorg.onmicrosoft.com" in my case) ?
Do I have to modify the app ?
I've modified the "Redemption order", and disabling the other identity providers, but my SAML IdP is still not proposed to new users....
Any help (even contact with support ?) would help,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hi @Francois Granade
for better understanding could you please explain us what you are trying to achieve and what are the steps you have taken and please share us if you followed any documents.
Hi @Francois Granade
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.