OIDC Setup on FLEX H

Options
nielsscheldeman
nielsscheldeman Posts: 111 image  Ally Member
First Comment Friend Collector Third Anniversary
edited April 28 in USG FLEX H Series

I'm trying to configure OIDC on FLEX H with MS Entra. Tried to follow this guide:

SSLVPN authentication with Microsoft Entra ID — Zyxel Community

But when I press the test button I get this error:

Invalid OIDC authorization_endpoint.
Error Code: (10016)cmd aaa validate-oidc-profile MS365

Normally my Issuer URL, Client ID and secret are identically, but I wonder if it has something to do with the certificate? The guide only mentions potential problems when trying to connect the client..? I have a wildcard certificate (.pfx) on my domain name, but can't import it on the FLEX because it's not compatible…

ANyhow what also is different then in the guide, I'm not using for example zyxeltest.com but firewall.zyxeltest.com because I'm still in testfase and using an onmicrosoft domain name. Bit stuck here with the not saying that much errormessage…

Edit: looking a bit further, I also don't see any sign in tries on my Entra portal

Ok so now it seems like my Issuer URL had a "/" too much. Moving on now I get

OIDC Authentication Test

An error occurred during OIDC processing:

Claim 'email' not found in ID Token claims

But I have allowed this all:


email

Delegated

View users' email address

No

offline_access

Delegated

Maintain access to data you have given it access to

No

openid

Delegated

Sign users in

No

profile

Delegated

View users' basic profile

No

User.Read

Delegated

Sign in and read user profile

No

Also added:

image.png

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 823 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @nielsscheldeman,

    Regarding the error "Claim 'email' not found in ID Token claims", this typically means the email attribute is not populated for that user in Entra ID.

    We would suggest first verifying the email property of the user account in Entra ID and make sure it is properly filled in.

    image.png

    Additionally, if you prefer, you can also configure the OIDC profile on the FLEX H to use "preferred_username" as the username claim instead, which is already included in the default "profile" scope and requires no extra setup on the Entra ID side.

    image.png

    Zyxel Tina

  • nielsscheldeman
    nielsscheldeman Posts: 111 image  Ally Member
    First Comment Friend Collector Third Anniversary

    Ok, now OIDC Authentication Test is working fine, I added an ext-group-user with Group Identifier from security group I want to use and selected this user in Allowed Users in SSL VPN and primary server OIDC/Entra. However as soon as I log in to the SSL VPN, I get Access Denied, error ID: …. Please contact your administrator. My user is in the right security group, so I'm a bit stuck now.

    The guide from ZyXEL doesn't mention anything else after the OIDC Authentication Test is successful. It assumes that everything works then.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)