Adaxes

One domain managing another

0 votes

We have two AD domains, DomainA and DomainB. DomainA has a service desk that needs to manage DomainB users. Logins are done through EntraID SAML.

In DomainB, there is a group with foreign security principals of DomainA users, that has security role to allow management. FSPs don't sync with AzureAD Connect so at first they couldn't even get past SAML. We've then put in their DomainB contacts, which allow for SAML to succeed.

When DomainA users login through SAML, they are greeted with an error stating that Domain 'domaina.org' is not managed by Adaxes (no logon information provided). We don't wish to manage Azure or DomainA through Adaxes, just DomainB.

by (60 points)

1 Answer

0 votes
by (301k points)

Hello Bennett,

Unfortunately, there is no such possibility. Only users from managed domains can log in. Also, currently, Entra ID (Azure) users cannot log in to Adaxes. The feature is planned for future releases.

0

Hi, can you clarify when you say Entra ID users cannot log in, is this outdated? I am using Entra ID for SAML logins and it works, but only when the user's on-premises username/UPN matches their Azure UPN (using our first.last@company.com email format).

There are many users in our AD including other Adaxes admins that have a username like lastf@ad.company.com and these users are unable to sign into the Adaxes web pages, even though their Azure UPN is the correct format. Is there a way to fix that without having to alter their on-premises username?

by (0 points)
0

Hello,

can you clarify when you say Entra ID users cannot log in, is this outdated? I am using Entra ID for SAML logins and it works

It is still the on-premises user account that actually logs in even is Entra SAML is used. What we meant is that if you register your Entra domain in Adaxes, users from it will not be able to log in. The feature is in our TODO list.

There are many users in our AD including other Adaxes admins that have a username like lastf@ad.company.com and these users are unable to sign into the Adaxes web pages

Are you able to see the user accounts in Adaxes (e.g. when browsing your AD)? Do they belong to an on-premises AD domain?

by (301k points)

Related questions

0 votes
1 answer
We're having trouble allowing our helpdesk to add users located in one domain to groups located in another domain

They can navigate to both the user or the group within the ADAXES web interface without issue. They can then either Add to Group or Add Member but the resulting ... something to the web interface which prevents changing the lookup domain. Any ideas? Thanks!

asked Apr 9, 2020 by VTPatsFan (610 points)
0 votes
1 answer
isolated DomainA,DomainB. Common Adaxes service server for both managing DomainA,DomainB as managed domain

hello, We are doing poc for Adaxes software. Our need: Adaxes as front end to manage multiple isolated domains with no trust e.g. Domain A, Domain B. We deployed ... domain B always gives error "User or password is not correct". Is this toplogy supported

asked Jul 11, 2024 by VBahubali (40 points)
0 votes
1 answer
Allow one department to modify group members who are from another department

We have a potentially complicated sitaution and so far I have no found a solution. Any suggestions will be greatly appreciated. We have specific security groups that ... or see any user details other than the memberships for these specific security groups.

asked Jan 2, 2023 by WannabeGuru (20 points)
0 votes
1 answer
copy groups from one user to another

goal is to copy groups from one user to another during the crete user process. I created a variable on the create user form to input the UPN of the ... primaryGroupToken") -eq $primaryGroupId) { continue } $group.Remove($Context.TargetObject.AdsPath) } }

asked Nov 30, 2021 by Derek.Axe (480 points)
0 votes
1 answer
Powershell: Removing a user from one group and adding to another via Scheduled Task

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (360 points)
3,681 questions
3,363 answers
8,515 comments
549,414 users