Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1
I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:
AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.
Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.
Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.
Appreciate any feedback / insight anyone can offer.
Comments
This probably should be moved to "Firebox - VPN Mobile User"
WG doesn’t support Entra ID Passwordless authentication.
You need to give Username & Password, you can then use a Security Key (Yubikey) or MS Authenticator as 2FA.
Stupid yes, seems that the WG Product Managers for Authentication are not up to date for what customers need and want nowadays...
Hi @SamSpronk, @kimmo.pohjoisaho
There is a feature request open for this. It is SASE-2986.
If that's something you want to see in the future, I'd strongly suggest making a support case and mentioning SASE-2986. The product managers do not frequent the forums here.
-James Carson
WatchGuard Customer Support
FYI I opened a support case to follow that feature request and the support engineer logged it against this feature request instead which might help:
FBX-28331- Support passwordless authentication with SAML
Hi @PhilT_VIT
I checked and they're linked together -- so either or will work. The technicians usually prefer the FBX items, but either will show the PMs that there's interest in that feature.
-James Carson
WatchGuard Customer Support
Thanks, I've just added a support case referencing the above case IDs
Hello @james.carson
are there any updates on this? We would like to use SAML with Entra ID for our VPN setup but our users are bound to passkeys (FIDO2) or Windows Hello.
As far as I understood, the culprit is the following part of the SAML request from Firebox to Entra ID:
Possible solution:
Here's a documentation from Microsoft: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS75011-auth-method-mismatch#resolution
Hi @Matthias_ARH
If you'd like a status on that request, please open a support case and mention FBX-28331. The technician that is assigned your case can set that up for you.
There is no update on this request as of today.
-James Carson
WatchGuard Customer Support