OIDC Setup on FLEX H

nielsscheldeman · April 28

I'm trying to configure OIDC on FLEX H with MS Entra. Tried to follow this guide:

SSLVPN authentication with Microsoft Entra ID — Zyxel Community

But when I press the test button I get this error:

Invalid OIDC authorization_endpoint.
Error Code: (10016)cmd aaa validate-oidc-profile MS365

Normally my Issuer URL, Client ID and secret are identically, but I wonder if it has something to do with the certificate? The guide only mentions potential problems when trying to connect the client..? I have a wildcard certificate (.pfx) on my domain name, but can't import it on the FLEX because it's not compatible…

ANyhow what also is different then in the guide, I'm not using for example zyxeltest.com but firewall.zyxeltest.com because I'm still in testfase and using an onmicrosoft domain name. Bit stuck here with the not saying that much errormessage…

Edit: looking a bit further, I also don't see any sign in tries on my Entra portal

Ok so now it seems like my Issuer URL had a "/" too much. Moving on now I get

OIDC Authentication Test

An error occurred during OIDC processing:

Claim 'email' not found in ID Token claims

But I have allowed this all:

email	Delegated	View users' email address	No
offline_access	Delegated	Maintain access to data you have given it access to	No
openid	Delegated	Sign users in	No
profile	Delegated	View users' basic profile	No
User.Read	Delegated	Sign in and read user profile	No

Also added:

Zyxel_Tina · April 29

Hi @nielsscheldeman,

Regarding the error "Claim 'email' not found in ID Token claims", this typically means the email attribute is not populated for that user in Entra ID.

We would suggest first verifying the email property of the user account in Entra ID and make sure it is properly filled in.

Additionally, if you prefer, you can also configure the OIDC profile on the FLEX H to use "preferred_username" as the username claim instead, which is already included in the default "profile" scope and requires no extra setup on the Entra ID side.

nielsscheldeman · May 22

Ok, now OIDC Authentication Test is working fine, I added an ext-group-user with Group Identifier from security group I want to use and selected this user in Allowed Users in SSL VPN and primary server OIDC/Entra. However as soon as I log in to the SSL VPN, I get Access Denied, error ID: …. Please contact your administrator. My user is in the right security group, so I'm a bit stuck now.

The guide from ZyXEL doesn't mention anything else after the OIDC Authentication Test is successful. It assumes that everything works then.

Zyxel_Tina · May 26

Hi @nielsscheldeman,

Regarding the issue you have encountered, this behavior is expected. According to the v1.38 release notes, OIDC external group users are currently supported only for captive portal authentication and are not yet supported for SSL VPN authentication; this feature will be enhanced in the future firmware, v1.39.

Specifically:

External group users can be used with OIDC for captive portal integration to enforce user-aware policies.
External group user with OIDC authentication is not yet supported for IPsec and SSL VPN on uOS.