Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature

SamSpronk

I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1

I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:

AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.

Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.

Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.

Appreciate any feedback / insight anyone can offer.

SamSpronk

This probably should be moved to "Firebox - VPN Mobile User"

kimmo.pohjoisaho

WG doesn’t support Entra ID Passwordless authentication.
You need to give Username & Password, you can then use a Security Key (Yubikey) or MS Authenticator as 2FA.
Stupid yes, seems that the WG Product Managers for Authentication are not up to date for what customers need and want nowadays...

james.carson

Hi @SamSpronk, @kimmo.pohjoisaho

There is a feature request open for this. It is SASE-2986.

If that's something you want to see in the future, I'd strongly suggest making a support case and mentioning SASE-2986. The product managers do not frequent the forums here.

PhilT_VIT

FYI I opened a support case to follow that feature request and the support engineer logged it against this feature request instead which might help:

FBX-28331- Support passwordless authentication with SAML

james.carson

Hi @PhilT_VIT
I checked and they're linked together -- so either or will work. The technicians usually prefer the FBX items, but either will show the PMs that there's interest in that feature.

SamSpronk

Thanks, I've just added a support case referencing the above case IDs

Matthias_ARH

Hello @james.carson

are there any updates on this? We would like to use SAML with Entra ID for our VPN setup but our users are bound to passkeys (FIDO2) or Windows Hello.

As far as I understood, the culprit is the following part of the SAML request from Firebox to Entra ID:

• RequestedAuthnContext is part of the SAML request
• RequestedAuthnContext is an optional value defining the supported authentication methods

Possible solution:

• Remove the RequestedAuthnContext part to allow other authentication methods (e.g.FIDO2, Windows Hello, etc).

Here's a documentation from Microsoft: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS75011-auth-method-mismatch#resolution

james.carson

Hi @Matthias_ARH
If you'd like a status on that request, please open a support case and mention FBX-28331. The technician that is assigned your case can set that up for you.

There is no update on this request as of today.