Google Federation with Entra ID - doesn't support MultipleAuthN SAML claim

Question

Entra ID has a new Microsoft-managed conditional access policy that will be enabled from October 2024. However, Google doesn't support the MultipleAuthN claim that ADFS (and other IdPs) do.

Is there a work-around for this, or we just need to ensure that the new Microsoft-managed conditional access policy is disabled for all users? Otherwise, we somehow need to enable double MFA (MFA at both Google and Microsoft).

I imagine this might be an issue for any other federated IdPs that don't support this specific SAML claim.

There is a new alternative to the `SupportsMFA` setting in the `Set-MsolDomainFederationSettings` powershell command, but it doesn't allow you to 'always assume MFA is utilised in the federation' - https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs=http#federatedidpmfabehavior-values

Thanks in advance,

Nigel

kidd_ip · Answer

nigelss-tf&nbsp;
&nbsp;
You may consider&nbsp;Custom Claims Choreography or&nbsp;Conditional Access Exceptions&nbsp;

nigelss-tf · Answer

Thanks&nbsp;Kidd_Ip&nbsp;That might work for B2C but this is Google Workspace SSO as the IdP.&nbsp; The assertion would need to come from the IdP or be assumed to be true at the SP.I found this link, but it looks like it is still under consideration -&nbsp;https://issuetracker.google.com/issues/195687664?pli=1&nbsp;Cheers,Nigel

Forum Discussion

Google Federation with Entra ID - doesn't support MultipleAuthN SAML claim

2 Replies

Resources