Authpoint / Office 365 and multiples domains.
Hello all,
I activated this day Authpoint for Office 365 for a customer.
This customer has 2 domains (lets say domain1.com and domain2.com).
If i activate Authpoint "basically" (not adding the 2nd domain in the powershell script) , everyting works fine : Push received, authentication successful, and access to Office 365 granted.
To add the 2nd domain in the powershell script, i follow this instructions :
"To federate more than one domain with AuthPoint, for each additional domain, you must append "?|seconddomain.com" at the end of the $uri parameter. "
So, my $uri line should look like this :
$uri = "https://sp.authpoint.cloud.watchguard.com/WGC-2-06628551edXXXXXXXXX?domain2.com"
(on 1 line obviously)
With this parameters activated, when i test Office 365 access, i got the error below :
AADSTS50107 Requested federation realm object does not exist"
So adding the second domain to Authpoint break Office 365 authentication.
Am i doing this right ? Anyone has successfully made Authpoint work with multi-domain Office 365 tenants ?
Thanks for help,
BV
Comments
Nervermind, i found the solution. Logically, 2nd domain cannot use the same $uri as the main domain. Documentation just could be clearer and states that you have to do the same powershell actions for the 2nd domain, and add the " ?seconddomain.com" in the $uri parameter.
BV
To add some additional context to the above post. I also had the same issue and spoke to Watchguard. When federating multiple domains, you have to make 2 changes to the varibles, rather than just to the $uri variable as it sounds in the guide.
The first change is to the $dom varible for the second domain. You need to update this variable aswell to the second domain, but just in the normal format. So as an example $dom="domain2.com"
The second variable change is to the $uri variable as advised in the guide. This variable requires the addition of the ?domain2.com adding to the end of the existing string. So for the above example it would be $uri = "https://sp.authpoint.cloud.watchguard.com/WGC-2-06628551edXXXXXXXXX?domain2.com"
Once the 2 variables have been updated, running the federation command will federate the second domain. Repeat the above changes for each additional domain you need to federate for the same tenant.
I agree with the original poster, than an extra line in the 2FA guide to simply say, "If federating more than one domain, for each additional domain repeat the above steps, however amend the $dom variable to the additional domain each time, and update the $uri variable with ? at the end.
This works if you have multiple domain on the same 365 tenant but over different tenant, the process fails and its seem without solution....