Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature

I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1

I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:

AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.

Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.

Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.

Appreciate any feedback / insight anyone can offer.

Comments

  • This probably should be moved to "Firebox - VPN Mobile User"

  • WG doesn’t support Entra ID Passwordless authentication.
    You need to give Username & Password, you can then use a Security Key (Yubikey) or MS Authenticator as 2FA.
    Stupid yes, seems that the WG Product Managers for Authentication are not up to date for what customers need and want nowadays...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SamSpronk, @kimmo.pohjoisaho

    There is a feature request open for this. It is SASE-2986.

    If that's something you want to see in the future, I'd strongly suggest making a support case and mentioning SASE-2986. The product managers do not frequent the forums here.

    -James Carson
    WatchGuard Customer Support

  • FYI I opened a support case to follow that feature request and the support engineer logged it against this feature request instead which might help:

    FBX-28331- Support passwordless authentication with SAML

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PhilT_VIT
    I checked and they're linked together -- so either or will work. The technicians usually prefer the FBX items, but either will show the PMs that there's interest in that feature.

    -James Carson
    WatchGuard Customer Support

  • Thanks, I've just added a support case referencing the above case IDs

  • Hello @james.carson

    are there any updates on this? We would like to use SAML with Entra ID for our VPN setup but our users are bound to passkeys (FIDO2) or Windows Hello.

    As far as I understood, the culprit is the following part of the SAML request from Firebox to Entra ID:

    • RequestedAuthnContext is part of the SAML request
    • RequestedAuthnContext is an optional value defining the supported authentication methods

    Possible solution:

    • Remove the RequestedAuthnContext part to allow other authentication methods (e.g.FIDO2, Windows Hello, etc).

    Here's a documentation from Microsoft: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS75011-auth-method-mismatch#resolution

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Matthias_ARH
    If you'd like a status on that request, please open a support case and mention FBX-28331. The technician that is assigned your case can set that up for you.

    There is no update on this request as of today.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.