I have created a custom policy to use the Authenticator App from the following example code:
https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
The issue I am having is that it will sign up a new user, but when it is supposed to redirect to the page to show the QR code, it fails with the following error shown in AI.
Exception Message:A Claim of ClaimType with id "totpIdentifier" was not found, which is required by the ClaimsTransformationImpl of
Type "Microsoft.Cpim.Data.Transformations.FormatStringMultipleClaimsTransformation" for TransformationMethod "FormatStringMultipleClaims"
referenced by the ClaimsTransformation with id "CreateUriLabel" in policy xyz
The user is created correctly, as the next login will show the QR code and after going through the process, will give me my token.
I do understand the error, but I do not know how to fix it.My guess is that the sequence of events is not correct, but "CreateUriLabel" should be called after "TotpFactor-Input" where "totpIdentifier" gets set.
Has someone got an idea on what to look at?
just for completion, it ended up being a branding file that was causing the issue.
Related
I have been trying to create an SSO from Azure to ServiceNow. However, I am stuck at this error.
User: 6pGO5pzp9boSuAj82Cj6bK8aBeet9HKUdhNfUzalsKI= not found Ensure
that the user you are trying the test connection with is present in
the system. Ensure that 'User Field' property value corresponds to the
value set in the IDP returned through 'Subject NameID' in the
response.
I have tried different ID Policies. All of them give the same error though. This is the one I am using
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Can anyone helpout a little?
I was getting this same error until I changed the NameID Policy to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
User Field (under advanced): user_name
Type cache.do in filter navigator. Press enter.
Clear your browser cache.
Test connection.
See if that works and let me know.
I'm using custom policy to invoke a REST API to get something from database and return in claims. It works fine but I need to extend the feature to send extra error code and error message in case any exception happens. I already returned such information as requested ("status":409, "userMessage":). But I don't know where I can get it (in HTTP header/body/somewhere else?). I understand that I can return such information in another claim. But since AAD B2C provides the status code and userMessage there must be a way to use it. Could someone please enlighten me? Thanks a lot.
enter image description here
The error message itself can’t be accessed as a claim. If you want processing to continue, then return a HTTP 200 with a JSON representing the error and use preconditions to control the journey in this case.
I have a bare-bones website (single page app) that tries to log in the user with AAD using the msal JavaScript library. It is practically just doing what the example AAD login code does:
It creates a UserAgentApplication with my app's client ID and the authority URL for my tenant
It calls handleRedirectCallback and loginRedirect
It tries to get either the accessToken or the errorCode/errorMessage from the redirect response
Under practically all circumstances this works fine. Users visit my page, they get redirected and login just fine. One particular user, however, after the redirect and attempt to login gets this error:
Login failed: invalid_client - AADSTS650051: The parameter 'dynamicPermissions' in the request payload is not a valid parameter for the function import 'consentToApp'.
Trace Id: ed33266a-26ac-4706-9018-e6e89f650100
Correlation Id: e3103cab-1a7f-4a99-8455-fd8c8a769e35
Timestamp: 2019-06-25 20:50:44Z
He has tried this in many different browser (Edge/Chrome) and always gets this error, even in InPrivate/Incognito mode. No other user ever runs into error that I've found.
I'm not sure how to debug the issue because in my code I don't ever specify a 'dynamicPermissons' property or reference a function named 'consentToApp.'
How can I troubleshoot what is causing this error for this one user?
Thanks!
Ultimately this turned out to be a bug in the AAD service that was fixed by Microsoft.
I'm testing Azure B2C with Salesforce as IdP, and the login process works fine from Salesforce perspective (Salesforce Identity Provider Event Log show "success" for sing-on attempts), but redirection back to simple testing web application ends up to error page such as
/redirect.html#error=server_error&error_description=AADB2C90037%3a+An+error+occurred+while+processing+the+request.+Please+contact+administrator+of+the+site+you+are+trying+to+access.%0d%0aCorrelation+ID%3a+f0292157-ffad-472d-8119-3cd05518654c%0d%0aTimestamp%3a+2018-02-13+15%3a01%3a54Z%0d%0a
Looking at Application Insights, I see error:
A claim could not be found for lookup claim with id "objectId" defined in
technical profile with id "AAD-UserReadUsingObjectId" policy
"B2C_1A_SignUpOrSignInUsingSalesforce" of tenant "xyz.onmicrosoft.com".
I've followed the tutorial here and double checked lots of things, but not sure it this issue is due to invalid UserJourney or ClaimsProvider/TechnicalProfile. Or is it just that I'm missing respective user in Azure B2C that I have in Salesforce?
I don't at least see 'objectId' incoming in saml:Assertion:
<saml:Assertion xmlns:samlp=\""urn:oasis:names:tc:SAML:2.0:protocol\"" xmlns:xsi=\""http://www.w3.org/2001/XMLSchema-instance\"" ID=\""_b0b0193ce1e861e13ec39f9a991cb3501518533690616\"" Version=\""2.0\"" IssueInstant=\""2018-02-13T14:54:50.616Z\"" xmlns:saml=\""urn:oasis:names:tc:SAML:2.0:assertion\""><saml:Issuer Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"">https://XYZ.my.salesforce.com</saml:Issuer><saml:Subject><saml:NameID Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"">jussi.palo#XYZ.com</saml:NameID><saml:SubjectConfirmation Method=\""urn:oasis:names:tc:SAML:2.0:cm:bearer\""><saml:SubjectConfirmationData NotOnOrAfter=\""2018-02-13T14:59:50.616Z\"" Recipient=\""https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer\"" InResponseTo=\""_50a752dd-244c-4447-9ac9-6338e8bb692e\"" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\""2018-02-13T14:54:20.616Z\"" NotOnOrAfter=\""2018-02-13T14:59:50.616Z\""><saml:AudienceRestriction><saml:Audience>https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\""2018-02-13T14:54:50.616Z\""><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\""userId\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">0050N0000060rpy</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""username\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""email\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""is_portal_user\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
For some reason, the User Journey Player isn't showing anything, so I'm thus far been stuck with Application Insights.
Looks like it was confusion on what Starter Pack policy files should be used with the Salesforce instructions. Turned out using "SocialAndLocalAccounts" policy files as a basis did the trick, so my UserJourney was not right at first.
I will leave the question here for anyone else running into similar error messages.
I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
Error Code ACS50008: SAML token is invalid.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here: metadata .
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different than similar question found here since my inner exception details do not suggest any reason.
UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.
Thanks in advance,
Constantinos
I finally figured this out with the help of ms support on Azure.
It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.
So for anyone that happens to be in my position I nailed two possible reasons for this to happen.
Reason: the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="....">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.
Reason: a hidden inner exception that can be seen only with the help of ms support using your error's trackingId.
Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException :
ACS20001: An error occurred while processing a WS-Federation sign-in
response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException
: ACS50008: SAML token is
invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException
: Principal with name 'https://login.mydomain.com/' is not a known
principal.
In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!
You can always create a support case with Microsoft and have them help figure it out:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn