Set-MsolDomainAuthentication PreferredAuthenticationProtocol = "SAMLP", Get-MSolDomainFederationSettings shows as WsFed.

Ed Morra 1 Reputation point


I am trying to establish a single sign on (SSO) experience for my Google Workspace (GW) users who need to occasionally use Word, PowerPoint and Excel by federating GW as Identity Provider with a newly created tenant at Microsoft (MS) as Service Provider.
I was able to create a SAML web app at GW and used PowerShell to confer the information to MS.
The federation between them is successful in that my user data has migrated from GW to MS.
Standard Business licenses for the apps were purchased and assigned to users in the MS admin dashboard.

However, SSO experience doesn't work when my users try to logon to with their GW credentials.
GW is expecting a SAML conversation but is receiving a WS-FED protocol from MS when I use a SAML tracer extension and review the results.
My notes show that I issued a Set-MsolDomainAuthentication command with PreferredAuthenticationProtocol = "SAMLP" that was received without complaint.
They also show that when I checked the results with a Get-MSolDomainFederationSettings the protocol shows as WsFed.

I would go to the trouble of undoing and redoing the authentication with MS, but it is a sign of Madness to repeat the same process and expect a different result.

What could I do differently here to get SAMLP to stick?

- Ed -  
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,893 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Ed Morra 1 Reputation point

    Not getting any response after a few days here, so I am going to try the method outlined in this article with an admin trying to update from wsfed to saml:

    I'll keep myself posted with how that turns out.

    0 comments No comments

  2. Ed Morra 1 Reputation point

    Copy all of the federation parameters we used before into PowerShell. One thing I note that this guy did differently is he would type in SAMLP without quotes and did not use a variable name, and added the parameters in a slightly different order, so I will follow that lead, just to do something different.

    First, change the domain's authentication mode to Managed, so that the preferred authentication protocol can be changed from WsFed to Samlp

    Set-MsolDomainAuthentication –DomainName $DomainName -Authentication Managed  

    Check the result

    Get-MSolDomainFederationSettings -DomainName | Format-List *  

    Yields no response (I interpret this as all parameters being deleted)

    Next, change the domain's authentication mode back to Federated with SAMLP typed in without quotes, using all of the previously used parameters:

    Set-MsolDomainAuthentication –DomainName $DomainName -FederationBrandName $FederationBrandName -Authentication Federated -PassiveLogOnUri $PassiveLogOnUri -SigningCertificate $SigningCertificate -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -LogOffUri $LogOffUri -PreferredAuthenticationProtocol SAMLP  

    Check the result

    Get-MSolDomainFederationSettings -DomainName | Format-List *  
    ExtensionData                          : System.Runtime.Serialization.ExtensionDataObject  
    ActiveLogOnUri                         :  
    DefaultInteractiveAuthenticationMethod :  
    FederationBrandName                    : Google Workspace  
    IssuerUri                              :  
    LogOffUri                              :  
    MetadataExchangeUri                    :  
    NextSigningCertificate                 :  
    OpenIdConnectDiscoveryEndpoint         :  
    PassiveLogOnUri                        :  
    PasswordChangeUri                      :  
    PasswordResetUri                       :  
    PreferredAuthenticationProtocol        : Samlp  
    PromptLoginBehavior                    :  
    SigningCertificate                     : MIIDdDCCAlygAwIBAgIGAXGoCdejMA0GCSqGSIb3DQEBCwUAM                                           
                                                          etc ...                                          
    SigningCertificateUpdateStatus         :  
    SupportsMfa                            :  



    SAMLP sticks and SSO is now working!

    Hope this is helpful for someone else in the future...