Share via

Using Azure Active Directory with an external identities manager (CloudFlare Zero Trust)

Dotan Simha 1 Reputation point
2022-10-24T07:24:43.307+00:00

Hi all
I'm looking into integrating CloudFlare Zero Trust as IdP provider for Azure AD. I wish CloudFlare to manage all identities and provide me an SSO (SAML-based) for protecting the Azure.

I followed all instructions in the CloudFlare Zero Trust dashboard - created an Application and used the following configs:
Application: Microsoft Azure
Entity ID: https://login.microsoftonline.com/<AD_TENANT_ID>
Assertion Consumer Service URL: https://login.microsoftonline.com/login.srf

Based on that, I got the CF app configurations to set in Azure Portal. I used Active Directory -> External Identities -> All Identity Providers -> New SAML/WS-Fed IdP and matched the configurations as follow:
Identity Provider Protocol: SAML
Domain Name of Federating IdP: <CF_TEAM_NAME>.cloudflareaccess.com
Issuer URI: The Access Entity ID or Issuer I got from the CF App ( https://<CF_TEAM_NAME>.cloudflareaccess.com )
Passive authentication endpoint: The SSO endpoint I got from the CF App ( https://<CF_TEAM_NAME>.cloudflareaccess.com/cdn-cgi/access/sso/saml/<SOME_ID> )
Certificate: The Public Key I got from the CF App

After setting this up, I logged in to the Federated provider (CF Zero Trust) with my account, and then tried to launch the Azure app. I only get this error: 

   AADSTS50107: The requested federation realm object 'https://<CF_TEAM_NAME>.cloudflareaccess.com' does not exist.

Any idea what's wrong with this setup?

Thanks

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-10-26T00:09:19.42+00:00

    Hi @Dotan Simha ,

    If you have already tried the steps from the troubleshooting guide of making sure that Cloudflare has provided the correct issuerURI and modifying the IssuerURI of the federated domain to match the realm object listed in the error via Set-MsolDomainFederationSettings, you can also try the following troubleshooting steps:

    This error can occur if there is no two way trust configured between ADFS domain and user account domain. If this is the case, the issue can be resolved by creating a two-way trust.

    In addition, if you run Get-MsolDomainFederationSettings -DomainName <your domain> , can you verify if the IssuerURI reflects correctly?

    Additional resources:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains#verify-the-new-top-level-domain

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/authentication-fails-with-error

    https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.