Clarification on how to use DirectFedAuthUrl TXT record for B2B External Identity to a SAML IDP with a different passiveSignInUri

Question

Clarification on how to use DirectFedAuthUrl TXT record for B2B External Identity to a SAML IDP with a different passiveSignInUri

Christopher Butler 5

I am trying to implement the DirectFedAuthUrl process to point a subdomain to a SAML IDP. I am referencing this document: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation.

I created the records in the subdomain fed.mydomain.com. The txt records show up in dig.
"DirectFedAuthUrl=https://auth.anotherdomain.com/realms/keycloak"

when I setup fed.mydomain.com as an additional domain in the SAML provider as an external Identity in an External Identity Provider, I get the error:

Failed to add fed.mydomain.com. Invalid passiveSignInUri fed.mydomain.com. The passiveSignInUri should match the domain. Otherwise, please add the passiveSignInUri in the domain DNS TXT record like this DirectFedAuthUrl=fed.mydomain.com

when i do a DIG from google toolbox i get the below:

TTL:

1 hour

VALUE:

"DirectFedAuthUrl=https://auth.anotherdomain.com/realms/keycloak"

It seems odd to me to add a txt record of DirectFedAuthUrl=fed.mydomain.com to the domain fed.mydomain.com when the IDP is at https://auth.anotherdomain.com/realms/keycloak

Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-06-27T02:39:33.7133333+00:00

@Christopher Butler Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Rudyk, Zhanna B 40 Reputation points

2025-03-16T08:04:30.0533333+00:00

Can you please tell me how you ve added keycloak idp to Microsoft entra id ? I ve created a client in keycloak type saml. Trying to add it as idp to Microsoft . I m putting domain name, exactly as idp https://auth.mine.com/realms/realmname/protocol/saml/clients/keycloak but get an error always that idp can't be created . Without description
Rudyk, Zhanna B 40 Reputation points

2025-03-16T08:05:58.2866667+00:00

@Akshay-MSFT can you please explain me

1 answer

Your answer

Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-06-27T02:39:33.7133333+00:00

@Christopher Butler Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik
Rudyk, Zhanna B 40 Reputation points

2025-03-16T08:04:30.0533333+00:00

Can you please tell me how you ve added keycloak idp to Microsoft entra id ? I ve created a client in keycloak type saml. Trying to add it as idp to Microsoft . I m putting domain name, exactly as idp https://auth.mine.com/realms/realmname/protocol/saml/clients/keycloak but get an error always that idp can't be created . Without description
Rudyk, Zhanna B 40 Reputation points

2025-03-16T08:05:58.2866667+00:00

@Akshay-MSFT can you please explain me

Answer 1

Akshay-MSFT 17,941 Microsoft Employee Moderator

@Christopher Butler

Thank you for posting YOUR QUERY ON Microsoft Q&A. Based upon your description above it seems like you are not able to add SAML IDP with a passive authentication endpoint.

On digging further I saw there has been a similar known issue which is worked by dev team.

As a work around could you please try the following action:

To update the DNS TXT record, please try using 'DirectFedPassiveSignInUri' instead of 'DirectFedAuthUrl' as below

Instead of using:

fabrikam.com.  IN   TXT   DirectFedAuthUrl=https://fabrikamconglomerate.com/adfs

Try using:

fabrikam.com. IN TXT DirectFedPassiveSignInUri=https://fabrikamconglomerate.com/adfs

Please do let me know in comments if this does not help so that we could move to next plan of action.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Christopher Butler 5 Reputation points

2023-06-20T17:39:06.51+00:00
@Akshay Kaushik Thanks for the suggestions and being willing to help.

I updated the record as you suggested. From dig it looks like below

"DirectFedPassiveSignInUri=https://auth.anotherdomain.com/realms/keycloak"

however, I am still getting the same error message.
Akshay-MSFT 17,941 Reputation points Microsoft Employee Moderator

2023-06-21T11:34:00.71+00:00
@Christopher Butler

Thank you for your response, kindly try adding the passive URL only in the DNS record and not the IDP

"DirectFedPassiveSignInUri=fed.mydomain.com

As per Step1

Check the partner's IdP passive authentication URL to see if the domain matches the target domain or a host within the target domain. In other words, when setting up federation for fabrikam.com (IDP)

If the passive authentication endpoint is https://fabrikamconglomerate.com/adfs** or **https://fabrikam.com.uk/adfs, the domain doesn't match the fabrikam.com domain, so the partner needs to add a text record for the authentication URL to their DNS configuration.

Still if this does not work then please do send an email @AzCommunity@microsoft.com

Subject line: Attn: Akshay-MSFT | Unable to add SAML IDP with a passive authentication endpoint.

Body:

Your Azure Subscription ID

[https://learn.microsoft.com/en-us/answers/questions/1308034/clarification-on-how-to-use-directfedauthurl-txt-r ](https://learn.microsoft.com/en-us/answers/questions/1308034/clarification-on-how-to-use-directfedauthurl-txt-r

)

And your availability during early EST hours.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Christopher Butler 5 Reputation points

2023-06-27T12:42:44.3733333+00:00

I tried using DirectFedPassiveSignInUri as with and without the /realm/keycloak

Error message is still the same.
Nick Woodley 0 Reputation points

2023-11-21T11:56:26.8366667+00:00

Hi

Did you get a working solution in the end?

Regards

Nick

Share via

Clarification on how to use DirectFedAuthUrl TXT record for B2B External Identity to a SAML IDP with a different passiveSignInUri

1 answer

Your answer