How to chose SAML over Google Password authentication in GCP - azure

I am facing an issue with GCP and unmanaged users.
After using the transfer tool to invite someone in the organization, he unfortunately didn't read the email and the invitation timed out.
For some reasons I was not able to resend the invitation so I instead decided to create a new user.
However he keeps getting the following error now:
I checked the logs and I figured he is not using the same login type as other peoples, SAML is me and Google password being the user having the issue.
Can anyone help me on how to enforce using SAML on the authentication?
I am using Azure AD as IdP.
Thanks

This worked for me so I'll leave it here in case anyone struggle with the same issues.
In Azure Portal, select Enterprise Application and look for Google.
Then select Google Cloud/ G Suite connector
In Single sign-on ensure the contoso.com is replaced by your dns and ensure the last part framed in red is accurate to your own requirements.
Finally make sure you've enabled provisioning to have your users actually provisionned from Azure and not created in Google Workspace only.

Related

Azure AD Custom Identity Issuer without # sign

Currently our team has a web app and we use Angular as frontend and have azure app service for our backend API. We sorted our authentication with following the docs and it worked fine so far. We use code flow and our users are added to our AD in the azure portal.
If they land on our front end they are redirected to microsofts login page and are able to login with for example
user#myappdomain.com
password
One small thing I am not able to find in the documentation and is a requirement by clients, is it possible to login ( get an access token for our API ) with a login name without # sign or Identity Issuer.
For example:
userfromcompanyx
password
Excuse in advance for misused or wrongly interpreted jargon as English is not my native tongue. Does anyone have experience in this specific use case or can point me in the right direction? Appreciate all replies.
Currently, it is not supported with Azure AD
For you are scenario you can go with Azure Ad b2c where you can log in with a username or phone number without using an email id

Using Salesforce as Service Provider for SAML With Azure B2C as Identity Provider, how can I identify what is not configured correctly?

The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>

Log in to Azure AD B2C without redirecting to b2clogin Microsoft page

I am building a react application which needs to be sign in and sign up users only through the application. I am using AADB2C for user management. I know this question has been asked several times in the past, but I still finding a way to sign up/sign in users using AADB2C without redirecting to Microsoft login page. I found it impossible back in 2 years ago, but I really appreciate your help, If there is any services or packages to overcome this riddle .
#PrathapG I have responded to your question here: https://learn.microsoft.com/answers/questions/21036/log-in-to-azure-ad-b2c-without-redirecting-to-b2cl.html
You can always use the Graph API to directly create users into the B2C Directory, but that defeats most of the advantages of B2C of not having to write the plumbing code.
You are now also responsible for securing this user creation code.
Currently the new login url is: .b2clogin.com, which does not contain any reference to MS anymore, which partly may solve your issue?
There has to be some sort of Identity management for your application. if you don't want Microsoft to do the identity management for your application then there are various other options.
There are several well known Identity Providers like Amazon , Facebook etc
Or you can provide your own Identity provider using the first option
"+New OpenID Connect Provider".

Difference between SAML and MSAL? Which one should be setup with VB codes?

Currently I'm working on webapps and its VB code. I need to deploy it into Azure platform but I'm not sure about this 2 things. FYI, system that I developed don't have login page, which is based on current pc login username. So I retrieved current pc login username and check with my database whether current user allowed to use or not. When its in localhost, everything ok, I can retrieve username but when I deployed it to Azure it can't since I need to setup for Azure AD. But I'm a bit confused as my IT global ask me to do some codes to read from Azure AD. How to configure it with codes and also in Azure? Is there any difference between MSAL and SAML? Do I need to setup for both or should I just setup either one? I'm new in this so I don't know much of it. Hopefully someone can help me to solve it as I'm stuck for a month now. Thank you in advance.
P/S: My systems is in VBA codes, not in C# as I can see that many sample/example is in C# codes.
*Link with Azure AD and get user details like username/emails/etc once browse the webapps
SAML is a protocol used for authentication. A more contemporary protocol is OpenId Connect.
MSAL is a library that helps integrate your application with Azure AD.
I'd suggest you start with the Microsoft identity platform (Azure Active Directory for developers) and get yourself familiar with how to integrate your application successfully with Azure AD.
Some of the samples provided on that page teach how to make calls to Microsoft Graph, where you'd be able to get more details about the signed-in user.

Azure AD B2C Social Signups Failing

I'm trying to get an AspNet Core 2.1 website to authenticate via Azure AD B2C. I've configured the Google and Microsoft Account signups in my tenant per the online instructions I found (e.g., this for Google).
But neither signup/signin option works. Links to them display on the default Azure AD B2C login page, but clicking the links triggers an error:
for Google, it causes a redirect_uri_mismatch error
for Microsoft Account, it returns a "we're experiencing technical
difficulties" error page, which has persisted for more than 24 hours,
so I doubt there's been any kind of outage
This is all occurring in a development environment, so I'm not using a publicly-registered domain (e.g., the reply uris all point back to localhost). Is that possibly the problem? If so, how do I set up the development environment correctly?
Additional Info
I solved the problem with the google identity provider.
But I'm still getting the same error with the Microsoft Account provider. However, I just noticed that there's an error message buried within the URL for the error page which doesn't get displayed on the page itself:
error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
The first suggestion in the error message -- targeting login.live.com -- doesn't work. The Microsoft Application Portal complains about a domain mismatch.
But I don't see how to apply the second suggestion, because I don't know where the redirect_uri is generated by/stored in my web app (i.e., I defined the redirect uri in the Microsoft Application Portal, but I don't see a corresponding configuration parameter in my webapp).
Ensure that you are registering the same base reply urls in your social providers, that your application is calling from B2C.
For example:
You if your app calls https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize then the reply url in your social provider should be https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp
However, some app examples call https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/v2.0/authorize (notice the "te") so you therefore need to add a reply URL of https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/authresp
I generally add both.
Are you able to sign-up with the local email account at first?, if not this link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app
would be helpful which has a sample web app and the steps, once you are able to sing-up and authenticate , you can add identity providers as Google, Microsoft, Facebook etc., and then you can edit the sign-up or sign-in policies and add the identity providers of Google, Microsoft etc.,
I hope this helps, cheers!! please let me know if you face any issues
Suraj Revankar
Turns out the documentation I was following for setting up the MicrosoftAccount identity app was incorrect, or I was following the wrong instructions.
Basically, you need to redirect to
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
not
https://localhost:[port#]/signin-oidc
like the documentation I was originally following suggested.
Check out this question and answer for more details.

Resources