使用谷歌工作区验证 Azure SAML 的域

Question

I am trying to provision users into Azure AD from Google Workspace, and let my users log into Azure Portal using their company google account. I have added my custom domain to Azure AD, and configured integration on Google side. However while provisioning is working, when a user tries to log into Azure, they need to enter a password instead of being redirected to google to use their workspace account.

Reading through the documentation, I have set TXT record to use the SSO url indicated by google as DirectFedAuthUrl attribute. I have verified via a different tool that indeed it is set to https://accounts.google.com/o/saml2/idp?idpid=xxxx . Now, what I try to set up SAML in Azure AD using my custom domain it returns an error that direct federation policy does not pass some requirements, and directs me to the documentation. What am I doing wrong?

How can I verify my custom domain so it works with Azure SAML?

Answer 1

• Please check whether the authentication URL entered for sending users to authenticate and receive a token from google matches that with the google's target domain such that when the users try to access the application in azure, they are redirected correctly to google IdP.

• Also, please check if your added custom domain is verified in Azure AD and your domain is not managed through Azure AD because if this is the case then Azure blocks SAML/WS-Fed IdP federation for Azure AD verified domains in favor of native Azure AD managed domain capabilities.

• Ensure that your unique custom domain is registered with one tenant only in Azure AD as currently federation with multiple domains through the same tenant is not supported. Also, check whether the DNS TXT records that you have updated for the custom domain used in Azure AD while setting up federation is correctly setup, ie, the TXT records should be updated for the domain that you have setup in google suite and if it is different than the custom domain used in Azure AD, please set the TXT records as below: -

' fabrikam.com. IN TXT DirectFedAuthUrl=https://fabrikamconglomerate.com/adfs '

In this case, 'fabrikam.com' is the registered domain name but the domain in the authentication URL does not match the registered domain name, so you will need to update the TXT records as above in your public DNS registry. Also, Microsoft has stated in its official documentation that there is a known issue with the above step and they are actively working on resolving it at the earliest as adding a DNS text record to the federating IdP's domain won't unblock authentication.

Please find the below link for more information: -

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation

Answer 2

This is not an answer but more of a tip: try using powershell to get more diagnostic information about why the SAML setup is not working. Some sample powershell in the MS Doc.

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#to-configure-samlws-fed-idp-federation-in-azure-ad-using-powershell

So for example in the below, I got a much better message than in the portal. Portal just said "Failed to add provider" or similar.

PS C:\WINDOWS\system32> New-AzureADExternalDomainFederation -ExternalDomainName $domainName  -FederationSettings $federationSettings -verbose
New-AzureADExternalDomainFederation : Error occurred while executing NewExternalDomainFederation
Code: Request_BadRequest
Message: PassiveLogOnUri is not supported as it does not match the external domain: MYTESTDOMAIN.com or it is not from one of the supported third party identity providers. To verify the PassiveLogOnUri, please add the PassiveLogOnUri in the DNS TXT record like this
    DirectFedAuthUrl=https://MYTESTB2CTENANT.b2clogin.com/MYTESTB2CTENANT.onmicrosoft.com/B2C_1A_SAMLIdPsignup_signin/samlp/sso/login. 

paramName: passiveLogOnUri, paramValue:
    https://MYTESTB2CTENANT.b2clogin.com/MYTESTB2CTENANT.onmicrosoft.com/B2C_1A_SAMLIdPsignup_signin/samlp/sso/login, objectType: System.String
    RequestId: <some guid>
    DateTimeStamp: Wed, 06 Oct 2021 05:21:27 GMT
    Details: PropertyName  - passiveLogOnUri, PropertyErrorCode  - PassiveLogOnUriNotSupported
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:1 char:1
    + New-AzureADExternalDomainFederation -ExternalDomainName $domainName   ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [New-AzureADExternalDomainFederation], ApiException
        + FullyQualifiedErrorId : Microsoft.Open.AzureADBeta.Client.ApiException,Microsoft.Open.AzureADBeta.PowerShell.NewExternalDomainFederation

Thanks to the error message, I was guided to update the DNS records as indicated however, and that did allow me to register the SAML IDP (in my case Azure B2C).

A side note: Despite now being able to register successfully, B2C as a SAML IDP is not actually working for me yet, I think my issue is probably this:

I guess my next option to try is this:

If the authentication URL is https://fabrikam.com or https://sts.fabrikam.com/adfs (a host in the same domain), no DNS changes are needed.

But that requires an Azure Front Door and I don't fancy setting that up just now https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-custom-policy