Incorrect error message in Azure UI when adding a "Domain name of federating IdP"

Francois Granade 0 Reputation points
2024-08-16T21:55:38.9633333+00:00

Hello - I'm having issues setting up SAML External Identity provider.

First, I found a bug: when I add a "Domain name of federating IdP" to an existing SAML Identity Provider, and that there's an error, the message is always:"Failed to add somedomain.com. Invalid passiveSignInUri somedomain.com. The passiveSignInUri should match the domain. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl=somedomain.com" (*where "somedomain.com" is the domain I tried to add)*This message is not correct -- the domain I'm trying to add is not the text of the TXT to use. The correct TXT entry that will work, must contain the "Passive authentication endpoint" (and it must be added to the zone file of the domain I'm adding, e.g. to the zone file of "somedomain.com" here).The strange part, is that the Portal API call returns the correct error: I can see it in the Developer tools of my browser, by looking at the received data, that the message is correct. It's the front-end of the portal that shows an incorrect message, even though it received the right message from the Azure API. See the screenshot (top, the UI of the Azure portal, with the incorrect message ; bottom, the developer tools, showing me that the correct message:

Object { code: "Request_BadRequest", message: "Invalid domain ASDFadfcs. Domain should match the passiveSignInUri. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl=https://sso.<mydomain>.org/realms/<myrealm>/protocol/saml.", innerError: {…} }

If I add a DNS TXT entry with the suggestion from the message I see in the portal UI, it doesn't work ; if I use the suggestion I see in the developer tools, it works. So really the portal UI is wrong.

Now, even after having debugged this problem I still can't get the SAML "custom" Identity provider to work, i.e. to be used when new guest users connect for the first time. This is for a a Sharepoint Online site (<mysite>.sharepoint.com), for guest users that have a "<myorg>.onmicrosoft.com" identity. What are the right values to put for the domain ?

In particular, I'm wondering if the "Domain name for the federated IdP" must match the Identity of the users ("myorg.onmicrosoft.com" in my case) ?

Do I have to modify the app ?

I've modified the "Redemption order", and disabling the other identity providers, but my SAML IdP is still not proposed to new users....

Any help (even contact with support ?) would help,

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,927 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,198 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.