Facing Issues with MSOLService Deprecation — Best Practice for Azure SSO with OpenIAM?

Customer IAM (CIAM) SSO
1

Hi everyone,

I’m working on integrating OpenIAM with Microsoft Entra ID (Azure AD) for SAML SSO.
The OpenIAM documentation still references using Connect-MsolService for some parts of the setup, but as you know, MSOL PowerShell is now deprecated, and my tenant has security defaults/modern auth, so MSOL calls fail with Access Denied.

Here’s my situation:

  • OpenIAM is the IdP — Entra ID (Azure) is the SP.
  • I have a working SAML metadata and can import it in Azure.
  • My domain is verified, and I added the DirectFedAuthUrl TXT record properly.
  • The Connect-MsolService part keeps failing due to the deprecation.
  • I can connect with Microsoft Graph PowerShell (Connect-MgGraph works).

What I want:

  • When users authenticate via OpenIAM, they get SSO access to Azure services.
  • When I create or update user accounts or passwords, the changes sync to Entra ID reliably.
  • No legacy MSOL dependency — fully modern Graph API flow.

My questions for the community:

  1. Does anyone have a step-by-step for setting up SAML SSO with OpenIAM as IdP using only Microsoft Graph?
  2. Any custom connectors or Groovy scripts people have made to replace the MSOL calls with Graph API?
  3. How do you handle password writeback or syncing in this setup? Should I force OpenIAM to update AD and let AAD Connect handle the sync to Entra instead?

If you’ve done this with Graph only, please share:

  • Any working scripts
  • Updated connector config
  • Gotchas to watch for

I’m happy to test and share my results back with the community!

Thank you in advance — any tips would help a lot!

2

Hello Aaron,

Thank you for the post. I am checking with my team and will get back to you shortly.

Ameet

1 Like
3

Hello Aaron,

I will post the reply from one of our engineers below:
**
The client have to use Microsoft Graph PowerShell SDK
Install Microsoft.Graph module via PowerShell:
Install-Module Microsoft.Graph -Scope AllUsers

After installing Microsoft.Graph module, need connect to Azure with Administrator privileges
Connect-MgGraph -Scopes “Domain.ReadWrite.All”

Please follow Cmdlets:
Get-MgDomainFederationConfiguration -DomainId “openiamdemo.com” | Format-List * --Check if domain is federated
New-MgDomainFederationConfiguration
Update-MgDomainFederation

Soon we will update our documentation with using Microsoft Graph PowerShell SDK
**

Please let me know if you have any questions.

Thanks,
Ameet

4

Hi Ameet,

Thanks for sharing the guidance on federating a domain with Microsoft Entra using the Microsoft Graph PowerShell SDK. I followed the steps outlined in the documentation and successfully federated our domain using the New-MgDomainFederationConfiguration cmdlet.

The federation appears to be working as expected — when I go to https://portal.office.com and enter a federated user (e.g., test.user@example.com), I’m redirected to OpenIAM’s login page. OpenIAM receives the SAML AuthnRequest from Entra at /idp/saml2/idp/login, and the login screen renders correctly.

However, after the user logs in, the flow does not complete. The browser remains on the login page, and no SAMLResponse is POSTed back to Microsoft Entra. In the browser console, I’m seeing the following error:

Uncaught (in promise) ReferenceError: dispatchNotification is not defined

This seems to interrupt the login flow before the SAMLResponse is generated and sent back to Entra.

Here’s a summary of the current configuration:

  • RelayState strategy: default (returns original RelayState)
  • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • NameID value: valid UPN (e.g., test.user@example.com)
  • Audience: urn:federation:MicrosoftOnline
  • ACS URL: https://login.microsoftonline.com/example.com/saml2

It looks like the frontend error may be preventing the SAML session from completing. Has anyone encountered this issue before?

Any insights or suggestions would be greatly appreciated.

Best regards,
Aaron

5

Hello Aaron,

Could I trouble you to do the following:

  • Share which version of OpenIAM you are using.
  • Run the following cmdlet and share the result:
Get-MgDomainFederationConfiguration  -DomainId "Federated domain" | Select-Object ActiveSignInUri, Id, IssuerUri, PassiveSignInUri, PreferredAuthenticationProtocol, SignOutUri
  • Could you also send screenshots of the SAML Identity Provider configuration from OpenIAM?

Thanks,
Ameet

6

Hi Ameet,

Sure!

ActiveSignInUri :
Id : 2f7dceb7-7b77-495e-a858-c11d03ce1b60
IssuerUri : https://example.com/idp/saml2/idp/login8a80818a97cd9f310197ed500a870123
PassiveSignInUri : https://example.com/idp/saml2/idp/login
PreferredAuthenticationProtocol : saml
SignOutUri :

image
image1637×761 27.8 KB

Cheers,
Aaron

7

image
image1631×768 26.2 KB

8

This is the error that occurs when I click on the app in a user’s launchpad

image
image640×335 7.36 KB

9

Thank you, Aaron. Could you also share which version of OpenIAM you are running? I will then have one of our team members review your configuration.

1 Like
10

Hi Ameet,

Version: 4.2.1.11

Thanks!

Cheers,
Aaron

11

Hello Aaron,

Could you please try to update Federated Domain using Update-MgDomainFederationConfiguration with the following values:

ActiveSignInUri: https://example.com/idp/saml2/idp/login

SignOutUri: https://example.com/idp/saml2/idp/logout

IssuerUri: https://example.com/idp/saml2/idp/login/8a80818a97cd9f310197ed500a870123

Thanks.

12

Hi Ameet,

Thanks again for your guidance earlier. I’ve updated the domain federation settings as suggested:

ActiveSignInUri                 : https://example.com/idp/saml2/idp/login  
Id                              : 61e6e564-a829-4474-a986-da2f773056c9  
IssuerUri                       : https://example.com/idp/saml2/idp/login/8a80818a97cd9f310197ed500a870123  
PassiveSignInUri                : https://example.com/idp/saml2/idp/login  
PreferredAuthenticationProtocol: saml  
SignOutUri                      : https://example.com/idp/saml2/idp/logout

However, I’m now encountering a new issue during SSO:

  • When I use the following as the Assertion Consumer URL:
    https://login.microsoftonline.com/<tenant-id>/saml2
    I receive the error:
    AADSTS90121: Invalid empty request.
  • If I instead use:
    https://login.microsoftonline.com/login.srf
    I get:
    AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

It seems like Azure AD is not recognizing the tenant context or the request is malformed. Could you advise on the correct Assertion Consumer URL to use in this SAML2 setup with Azure AD?

Appreciate your help!

Best regards,
Aaron Nim

13

Hi Aaron,

One question:
example.com (as I understand you changed it to hide your real domain) - is this a federated domain or is it an OpenIAM domain name ?

Best regards,

Dmytro

14

Hi Dmytro,

Yes, that’s correct –dmfiam.ch is a federated domain in Microsoft Entra ID (formerly Azure AD). I’m currently working on configuring OpenIAM as the Identity Provider (IdP) and Microsoft Entra as the Service Provider (SP) to enable SSO.

Best regards,
Aaron

15

Hi Aaron,

I would like ask about your federation configuration:
ActiveSignInUri : https://example.com/idp/saml2/idp/login
Id : 61e6e564-a829-4474-a986-da2f773056c9
IssuerUri : https://example.com/idp/saml2/idp/login/8a80818a97cd9f310197ed500a870123
PassiveSignInUri : https://example.com/idp/saml2/idp/login
PreferredAuthenticationProtocol: saml
SignOutUri : https://example.com/idp/saml2/idp/logout

I see the same example.com in your federated domain configuration (for dmfiam.ch )
What domain are you using instead of example.com in this configuration, is this federated domain (dmfiam.ch) or OpenIAM domain name ?

Best regards,
Dmytro

16

Hi Dmytro,

dmfiam.ch is a federated domain that I am using.

Best regards,
Aaron

17

Hi everyone!

any update on this issue?

Best regards,
Aaron

18

Hi Aaron,

Sorry for the delay in replying.
It seems you have wrong SSO configuration in your domain configuration
Instead of dmfiam.ch you have to set your OpenIAM address, it should look like this:
ActiveSignInUri : https://openiamexample.com/idp/saml2/idp/login
Id : 61e6e564-a829-4474-a986-da2f773056c9
IssuerUri : https://openiamexample.com/idp/saml2/idp/login/8a80818a97cd9f310197ed500a870123
PassiveSignInUri : https://openiamexample.com/idp/saml2/idp/login
PreferredAuthenticationProtocol: saml
SignOutUri : https://openiamexample.com/idp/saml2/idp/logout

Please use Update-MgDomainFederationConfiguration cmdlet

Also we updated our documentation regarding SSO configuration, could you please take a look: https://docs.openiam.com/docs-4.2.1.15/ssocatalog/Azure

Best regards,
Dmytro

20

Hi Dmytro,

I was able to resolve the previous issue:

Error:
AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

Solution:
I fixed this by aligning the ImmutableID in Entra with the NameID OpenIAM sends by default (e.g., Test.User). After this change, SSO started working in launchpad.

Current Issue:

When I try to log in via portal.office.com, I am redirected to the OpenIAM login page as expected. However, after entering Login ID, nothing happens—the page just stays there without redirecting back to Microsoft or letting me put the password.

Question:

  1. Is there any additional configuration required in OpenIAM to ensure the SAMLResponse is posted back to Sign in to your account after successful login?

Thanks for your help and patience!
Best regards,
Aaron