OIDC Setup on FLEX H

Options
nielsscheldeman
nielsscheldeman Posts: 101 image  Ally Member
First Comment Friend Collector Third Anniversary
edited April 28 in USG FLEX H Series

I'm trying to configure OIDC on FLEX H with MS Entra. Tried to follow this guide:

SSLVPN authentication with Microsoft Entra ID — Zyxel Community

But when I press the test button I get this error:

Invalid OIDC authorization_endpoint.
Error Code: (10016)cmd aaa validate-oidc-profile MS365

Normally my Issuer URL, Client ID and secret are identically, but I wonder if it has something to do with the certificate? The guide only mentions potential problems when trying to connect the client..? I have a wildcard certificate (.pfx) on my domain name, but can't import it on the FLEX because it's not compatible…

ANyhow what also is different then in the guide, I'm not using for example zyxeltest.com but firewall.zyxeltest.com because I'm still in testfase and using an onmicrosoft domain name. Bit stuck here with the not saying that much errormessage…

Edit: looking a bit further, I also don't see any sign in tries on my Entra portal

Ok so now it seems like my Issuer URL had a "/" too much. Moving on now I get

OIDC Authentication Test

An error occurred during OIDC processing:

Claim 'email' not found in ID Token claims

But I have allowed this all:


email

Delegated

View users' email address

No

offline_access

Delegated

Maintain access to data you have given it access to

No

openid

Delegated

Sign users in

No

profile

Delegated

View users' basic profile

No

User.Read

Delegated

Sign in and read user profile

No

Also added:

image.png

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 786 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments

    Hi @nielsscheldeman,

    Regarding the error "Claim 'email' not found in ID Token claims", this typically means the email attribute is not populated for that user in Entra ID.

    We would suggest first verifying the email property of the user account in Entra ID and make sure it is properly filled in.

    image.png

    Additionally, if you prefer, you can also configure the OIDC profile on the FLEX H to use "preferred_username" as the username claim instead, which is already included in the default "profile" scope and requires no extra setup on the Entra ID side.

    image.png

    Zyxel Tina

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)