Fault issued by Azure when adding WatchGuard Authpoint SAML IdP at Azure External-Identity-New SAML/WS-Fed IdP

Question

Fault issued by Azure when adding WatchGuard Authpoint SAML IdP at Azure External-Identity-New SAML/WS-Fed IdP

khaled 26

Problem description:
The Azure Parser decodes the External IdP metadata file correctly into the required field elements by Azure:
(See the attached screenshot)

Issuer URI
Passive Authentication Endpoint
Certificate
Metadata URL
The IdP Protocol is SAML
The domain name is watchguard.com

When saving to add the external IdP to the list of the Azure IdPs, Azure issues the following error:
==> "Failed to add a SAML/WS-Fed-Identioty provider".
No error codes are shown, also no other help or indications, so that troubleshooting is not possible from my side.
Federating the secondary domain users to the AuthPoint IdP is therefore not possible and the domain stays in Azure in "Managed" state. Therefore, this domain users cannot authenticate to Azure-associated Microsoft 365 applications.
Can any one help?
Thanks.

khaled 26 Reputation points

2022-02-01T18:25:53.867+00:00

Screenshot added...

1 answer

Your answer

khaled 26 Reputation points

2022-02-01T18:25:53.867+00:00

Screenshot added...

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @khaled • Thank you for reaching out.

I just checked and confirmed that the watchguard.com domain is added as a verified domain to an Azure AD tenant. When a custom domain is verified under any Azure AD tenant, you cannot do a SAML/WS-Fed IdP federation with that domain. Direct federation can only be done with the domains that are not present in Azure as verified domains.

This is DOCUMENTED HERE:

Can I set up SAML/WS-Fed IdP federation with Azure AD verified domains?
No, we block SAML/WS-Fed IdP federation for Azure AD verified domains in favor of native Azure AD managed domain capabilities. If you try to set up SAML/WS-Fed IdP federation with a domain that is DNS-verified in Azure AD, you'll see an error in the Azure portal or PowerShell.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

khaled 26 Reputation points

2022-02-02T08:03:54.75+00:00

Hi @amanpreetingh-msft
Thank you for your quick reply. The possible error you mentioned that "Watchguard.com" domain shouldn't be a verified domain under any Azure AD tenant seems to be only the peak of the iceberg! The domain WatchGuard.com is a Cloud Service Provider that provides IdP services to the customers. The domain name will always appear in the parsed Metadata fields as well as in other customers of Azure. So, to check, I have changed the domain name at the "Domain name of the Federating IdP field to a completely different, unverified domain, yet still received an error that is shown in screenshot 2. Cannot create und thus federate a third-party SAML IdP yet.

Would be very thankful to receive further pieces of advice.

Regards Khaled
khaled 26 Reputation points

2022-02-02T08:05:40.66+00:00

Added Screenshot 2...170502-screenshot-2-new-saml-idp.pdf
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-02-02T13:00:27.907+00:00

@khaled • Try to reproduce the error and take note of the time of the repro. Wait for a few minutes as it takes some time to populate the audit log. Navigate to Azure Portal > Azure Active Directory > Audit logs and look for the logs around that time with the activity "Set federation settings on domain" to get more details of the error.
khaled 26 Reputation points

2022-02-02T13:39:24.08+00:00

Hi,
Reviewed the the Audit log after repeating the attempt. Please check the screenshot 3 and 4. They contain:
Date
2. 2.2022, 14:26

Activity Type
Set federation settings on domain

Correlation ID
dc9bb62e-1e75-4619-993c-ca114600007c

Category
DirectoryManagement

Status
failure

Status reason
Microsoft.Online.Workflows.ValidationException

User Agent
Initiated by (actor)

Type
User

Display Name
Object ID
22f066d6-9d1d-4c59-963a-0822a10d50b7

IP address
5. 147.1.198

User Principal Name
******@teiba-infosec.de

Additional Details

170566-screenshot-3-audit-log-i.pdf 170594-screenshot-4-audit-log-ii.pdfUser-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 Edg/97.0.1072.76
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-02-03T08:37:44.657+00:00
@khaled • Thank you for providing the required information. Based on the correlation ID in the audit log, I tracked the error in the backend database. Below is the error that occurred while adding direct federation:

PassiveLogOnUri is not supported as it does not match the external domain: `teibastar.de`.

To verify the PassiveLogOnUri, please add the PassiveLogOnUri in the DNS TXT record like this DirectFedAuthUrl=https://sp.authpoint.deu.cloud.watchguard.com/saml/ACC-1622981/sso/spinit within the teibastar.de domain.
khaled 26 Reputation points

2022-02-04T00:17:29.78+00:00
Thank you so much for the valuable hint. I am now able to add the third-party SAML IdP to the list of "All Identity Providers", for now as a standard "Managed" IdP.
According to Microsoft instructions, the domain MUST be held " Unverified" which is now the case. However, there is still one or more problems on the way unsolved before the domain can be federated!

When Attempting to convert the domain from "Managed" to "Federated", the Set-MsolDomainAuthentication command fails throwing the error:

==> "Invalid value for parameter. Parameter Name: federationSettings"! Please see also screenshot#6.

The above error complains about a parameter that has not been used in this configuration!! Which might suggest a mismatched software version between the executed commands and the existing Azure version.
My PC-based Powershell has version 5.1.19041.1320 (The PC is already updated to the last Win10Pro version)
The Azure Poweshell has version 7.2.1
When attempting to execute the command from Azure Powershell, it throws a different error: the command "Connect-MsolService" cmdlet must be called first before calling any other cmdlets. The command appears that it can only be done from a PC Poweshell.

Any suggestions/ fixes why the PC Powershell does not execute the Set-MsolDomainAuthentication and how to solve that?

Federating the domain is therefore still not possible.

Thanks you for your efforts
Regards
khaled 26 Reputation points

2022-02-04T00:20:11.433+00:00
Thank you so much for the valuable hint. I am now able to add the third-party SAML IdP to the list of "All Identity Providers", for now as a standard "Managed" IdP.
According to Microsoft instructions, the domain MUST be held " Unverified" which is now the case. However, there is still one or more problems on the way unsolved before the domain can be federated!

When Attempting to convert the domain from "Managed" to "Federated", the Set-MsolDomainAuthentication command fails throwing the error:

==> "Invalid value for parameter. Parameter Name: federationSettings"! Please see also screenshot#6.
171137-screenshot-5-third-party-saml-idp-is-added-in-mana.pdf 171202-screenshot-6-command-set-msoldomainauthentication.pdf
The above error complains about a parameter that has not been used in this configuration!! Which might suggest a mismatched software version between the executed commands and the existing Azure version.
My PC-based Powershell has version 5.1.19041.1320 (The PC is already updated to the last Win10Pro version)
The Azure Poweshell has version 7.2.1
When attempting to execute the command from Azure Powershell, it throws a different error: the command "Connect-MsolService" cmdlet must be called first before calling any other cmdlets. The command appears that it can only be done from a PC Poweshell.

Any suggestions/ fixes why the PC Powershell does not execute the Set-MsolDomainAuthentication and how to solve that?

Federating the domain is therefore still not possible.

Thanks you for your efforts
Regards
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-02-04T09:24:48.873+00:00

@khaled • This is not supported. Only the verified domains can be converted into federated domains.
Khaledfa 1 Reputation point

2022-02-04T10:09:29.207+00:00

Hello,
Thank you, but I am afraid your last statement is not correct! The opposite is correct: Only the UNVERIFIED domains can be converted into federated domains for third-party IdPs. I have added here screenshot# 7 as a proof which is a cut-out of the Microsoft procedure: Federation with SAML/WS-Fed Identity Providers for Guest users:

https://learn.microsoft.com/en-gb/azure/active-directory/external-identities/direct-federation
Please check the Highlighted Note under Step 2: Configure the partner organisation's IdP-SAML 2.0 Configuration

Please check screenshot #7

Thanks for continuing to support.

Regards171381-screenshot-7-only-unverified-domains.pdf
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-02-04T18:25:18.717+00:00

@Khaledfa • @khaled • When I said, "only the verified domains can be converted into federated domains", I was referring to converting the domain from "Managed" to "Federated" using the Set-MsolDomainAuthentication command and not the B2B/External federation. These two federations are different can work in a completely different way. You cannot mix and match these.
Khaledfa 1 Reputation point

2022-02-05T00:48:00.707+00:00

Thank you for this input! However, whether the domain is verified or unverified, there is a problem converting both types from Managed to Federated. I tested the domain: teibastar.de which is unverified, Managed and the domain: teibasec.de which is verified, Managed. Both cannot be yet converted to Federated. As stated above, we have

The PC-based Powershell version 5.1.19041.1320
The current Azure Poweshell version 7.2.1
The DNS Provider is updated with the TXT entries in both domains as you advised earlier.

Would you be able to help find out why converting both domain types fail?

The test phase for MS365 will expire in a few day and we haven't found a yet a successful customer experience demo.

Please see Screenshot 9 and 10 for the Unverified and Verified domain conversion attempts. The parameter causing the error has not been used in the procedure!!

Thank you for your support.
Kind Regards171517-screenshot-9-failed-procedure-for-managed-unverifi.pdf 171553-screenshot-10-failed-procedure-for-managed-verifie.pdf

Share via

Fault issued by Azure when adding WatchGuard Authpoint SAML IdP at Azure External-Identity-New SAML/WS-Fed IdP

1 answer

Your answer