I have been trying to create an SSO from Azure to ServiceNow. However, I am stuck at this error.
User: 6pGO5pzp9boSuAj82Cj6bK8aBeet9HKUdhNfUzalsKI= not found Ensure
that the user you are trying the test connection with is present in
the system. Ensure that 'User Field' property value corresponds to the
value set in the IDP returned through 'Subject NameID' in the
response.
I have tried different ID Policies. All of them give the same error though. This is the one I am using
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Can anyone helpout a little?
I was getting this same error until I changed the NameID Policy to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
User Field (under advanced): user_name
Type cache.do in filter navigator. Press enter.
Clear your browser cache.
Test connection.
See if that works and let me know.
Related
I have created a custom policy to use the Authenticator App from the following example code:
https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
The issue I am having is that it will sign up a new user, but when it is supposed to redirect to the page to show the QR code, it fails with the following error shown in AI.
Exception Message:A Claim of ClaimType with id "totpIdentifier" was not found, which is required by the ClaimsTransformationImpl of
Type "Microsoft.Cpim.Data.Transformations.FormatStringMultipleClaimsTransformation" for TransformationMethod "FormatStringMultipleClaims"
referenced by the ClaimsTransformation with id "CreateUriLabel" in policy xyz
The user is created correctly, as the next login will show the QR code and after going through the process, will give me my token.
I do understand the error, but I do not know how to fix it.My guess is that the sequence of events is not correct, but "CreateUriLabel" should be called after "TotpFactor-Input" where "totpIdentifier" gets set.
Has someone got an idea on what to look at?
just for completion, it ended up being a branding file that was causing the issue.
When I try to create a local account w/ a username of "test#mydomain.com" I get:
http://localhost:4343/#error=server_error&error_description=AADB2C90161:+A+self-asserted+send+response+has+failed+with+reason+'Internal+Server+Error'.
Correlation+ID:+cb299c64-219b-4870-9b4e-7c85fbbd2ae3
Timestamp:+2018-02-20+21:05:54Z
&state=9ac8534f-ad75-46c1-94a8-514a71acc6bb
I've wired up App Insights and I can see the "Internal Servier Error" but there is so much noise I can't pinpoint the problem.
Why can't I register w/ a username like that?
How do I interrupt the app insight log to track down my issue?
Note: I'm using custom policies if that matters.
Answer for the first question is that a sign-in name of type "userName" can't contain the '#' character in the value property.
i.e. You can't set it to an email address.
I set up my Actions on Google project with account linking enabled and the Implicit flow, it's working fine. However, when I try to select "Add quick account linking", after I save and click "Test Draft", it goes to the simulator page with an error message "Failed to enable simulator".
The error happens whether I select "Account creation", "Auto Google Sign-in" or both. I've filled the fields "GSI Client ID", "Token URL" and "Learn More URL" with proper values.
I can see under the hood that a POST query is made to https://console.actions.google.com/u/0/m/actions/agents/draft/createlocalizeduserpreview and returns a 500 error with "status":13. When I unselect "Add quick account linking", the same query succeeds and no error is displayed.
Did anyone get this to work?
Did you follow the steps to extend the Implicit flow and add a new endpoint that would handle the assertion request based on a JWT? This needs to be a new endpoint, and is similar to what you needed to do if you were implementing the Auth Code flow.
If so, verify that this endpoint is being called, that you're parsing the JWT correctly, and that you're returning either an auth code or a valid redirect to have the user sign-in.
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.