cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
305
Views
4
Helpful
6
Replies

SAML EntraID Guest access not loading Microsoft login page

Hi, 

So we setup ISE and Entra ID integration with SAML.

Access work fine for notebooks (tested on 10+ devices), but I am running with issue on some mobile devices. 

For some Android and iPhone device after redirect to login.microsoftonline.com page are not opening - blank screen with url only - without any error. Let's say from tested 10 device half is working and other half stuck on same problem (loading Microsoft login page).

I've check firewall and I can see flow to Internet from problematic client IP pointing to login.microsoftonline.com (TCP reset from client side and tcp-fin)

Also my pre-auth URL filter list is not working if I put deny statement -> in this guide there is deny statement for ULR filter list pointing to Microsoft login page.

 

https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-entra-id/ta-p/4400675

 

 

Anyone have any hint where to look further?

6 Replies 6

Try open url in browser 

See if the page is secure or not.

If not you need to add CA cert

MHM

Page is secured.

You check traffic between client and Microsoft in FW ?

Traffic must not pass via FW before user authc 

MHM

You have logs also attached.

But I think that you are wrong.

 

I should be able to see this traffic on my FW - check flow

 

DanijelTurkovic_0-1753706729355.png

 

 

That is why you need to use pre auth URL filter list to allow this traffic.

 

 

I've think I resolve my problem with adding new URL list.

 

Looks like this list from Greg guide need to be extended for Android and iPhone 

So from this

login.microsoftonline.com
aadcdn.microsoftonline-p.com
aadcdn.msauth.net

I've increase list to this - found this on forum

 

login.live.com
go.microsoft.com
aadcdn.msauth.net
aadcdn.msftauth.net
graph.microsoft.com
app.vssps.dev.azure.com
login.microsoftonline.com
app.vssps.visualstudio.com
login.microsoftonline-p.com
management.core.windows.net
secure.aadcdn.microsoftonline-p.com

And now problematic phones are opening login.microsoftonline.com without any issue.

 

Thanks for the update @Danijel Turkovic. I've updated my blog post with this list as well.