So, I've managed to implement federated identity against Azure AD / Entra / ... using SAML and Keycloak. When I use the browser to login, everything works as it should:
- I enter the federated account's username / email
- I get redirected to my Keycloak server and authenticate there
- I get redirected back to the website I wanted to access (e.g. Office.com) and am successfully logged in.
The problem then becomes logging into a Windows device also coupled to Entra. I enabled the needed settings via Windows Configuration Designer (most importantly: Web Sign In) and applied that configuration to a test device. Without Web Sign In there's no way to authenticate a Federated User.
Logging into this device via a non-federated user in the Azure AD works fine.
When I try to use the federated user, I get the expected flow:
- Enter the user's email
- Get redirected to Keycloak and auth there
- Get redirected back to Windows
However, then I'm just seeing this:
Which you'll probably agree is the epitome of unhelpful error messages. Not sure where to go from here as the error message doesn't give me much to go on. When logging into the PC afterwards with a "valid" user I'm not finding anything useful in the EventViewer.
So, what do I make of this? I already raised a support ticket with MS (thankfully we're paying for a bit of support) but what little I've gotten from them so far doesn't fill me with hope.
Edit: I think I found a corresponding error in the EventLogs. Namely an error entry in Application and Service Errors / Microsoft / Windows / AAD / Operational. Therein it states
Http request status: 400. Method: Get Endpoint Uri: https://login.microsoftonline.com/{GUID}/sidtoname
with an EvenId of 1025