Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature

I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1

I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:

AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.

Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.

Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.

Appreciate any feedback / insight anyone can offer.

Comments

  • This probably should be moved to "Firebox - VPN Mobile User"

  • WG doesn’t support Entra ID Passwordless authentication.
    You need to give Username & Password, you can then use a Security Key (Yubikey) or MS Authenticator as 2FA.
    Stupid yes, seems that the WG Product Managers for Authentication are not up to date for what customers need and want nowadays...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SamSpronk, @kimmo.pohjoisaho

    There is a feature request open for this. It is SASE-2986.

    If that's something you want to see in the future, I'd strongly suggest making a support case and mentioning SASE-2986. The product managers do not frequent the forums here.

    -James Carson
    WatchGuard Customer Support

  • FYI I opened a support case to follow that feature request and the support engineer logged it against this feature request instead which might help:

    FBX-28331- Support passwordless authentication with SAML

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PhilT_VIT
    I checked and they're linked together -- so either or will work. The technicians usually prefer the FBX items, but either will show the PMs that there's interest in that feature.

    -James Carson
    WatchGuard Customer Support

  • Thanks, I've just added a support case referencing the above case IDs

Sign In to comment.