We have a partner we are integrating with. We want to add a link to their system so they can click on it, automatically get logged into our Azure B2C and redirected to a specific page on our site. We have the requirement that they use SAML to connect.
These are the steps I have followed. I am not sure if I am missing something or if I need to try another path like building .net a bridge SP to connect to the Okta IdP and then redirect the user.
setup and Okta IdP
written a C# web app
Connected the web app directly to the Okta IdP, just to test
Posted the web app to azure
Created custom policies for the Okta service provider in Azure B2C
Create user journey Azure B2C
In Azure application insights I keep getting "Exception" with no detail.
If I look at the SAML request in the browser I end up getting this 404
https://XXX.b2clogin.com/XXX.onmicrosoft.com/B2C_1A_signup_signin_saml/client/perftrace?tx=b7024f56-034f-4edb-9d60-386514c037f3&p=null
Claims provider
user journey
metadata url
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exkat2zx10HirumDC696">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIID...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XXX.okta.com/app/XXX_testsamlbridge_1/exkat2zx10HirumDC696/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://XXX.okta.com/app/XXX_testsamlbridge_1/exkat2zx10HirumDC696/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
B2C_1A_OktaSecret
{
"metadata":{
"updatedUtc":"12/10/2021 4:57:15 AM",
"tenantID":"XXX.onmicrosoft.com",
"storageKeyId":"B2C_1A_OktaSecret"
},
"keys":[
{
"kid":"30D7ACFD91E97D5733BB4388C0C45350120A2092",
"exp":1952890376,
"nbf":1637357516,
"x5c":[
"MIIDqDCCApCgAwIBAgIGAX06HeGMMA0GCSqGSIb..."
],
"x5t":"MNes_ZHpfVczu0OIwMRTUBIKIJI",
"kty":"RSA",
"e":"AQAB",
"n":"q1XSJo0UyHeCIIO2NfnIU5VC5leYRZvtITk..."
}
]
}
I went through all three methods and found my error in one.
Method 1 Exceptions, found but didn't tell me anything new
Method 2 trace, didn't find any traces which was weird
Method 3 trace export. well there were no traces so I still couldn't find it.
I added screen shots below.
Error message
Exception log
Trace log
Search Transactions
Related
I am trying to run the WebApp B2C sample:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C
When I try to login, I get the following error:
IDX40002: Microsoft.IdentityModel does not support a B2C issuer with 'tfp' in the URI. See https://aka.ms/ms-id-web/b2c-issuer for details.
If I edit the Instance to https://myHost.b2clogin.com I get:
AADSTS50011: The redirect URI 'https://myHost.b2clogin.com/1c2009bb-7e35-4a0e-9f22-xxxxxxxxx/oauth2/authresp' specified in the request does not match the redirect URIs configured for the application 'c24b0337-0bd9-45ee-8376-xxxxxxxxx'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Edit:
These are my redirects:
I tried to reproduce the same in my environment and got the below results:
I deployed custom policy starter pack via IEF Setup App by entering my Azure B2C tenant name like below:
When I checked that in Portal, custom policies are created successfully like below:
Now I registered one Azure AD B2C app named webapp1 as below:
I added redirect Uri to the above application like below: https://localhost:44316/signin-oidc
Now, I followed the same link that you mentioned and deployed one sample B2C web application by modifying appsettings.json file like below:
"AzureAdB2C": {
"Instance": "https://sridevib2c.b2clogin.com",
"ClientId": "9986e76d-bxx7-4x6x-bxx7-3d8xxxxx9a45",
"Domain": "sridevib2c.onmicrosoft.com",
"SignedOutCallbackPath": "/signout/B2C_1A_SIGNUP_SIGNIN",
"SignUpSignInPolicyId": "B2C_1A_SIGNUP_SIGNIN",
"ResetPasswordPolicyId": "B2C_1A_PASSWORDRESET",
"EditProfilePolicyId": "B2C_1A_PROFILEEDIT" // Optional profile editing policy
//"CallbackPath": "/signin/B2C_1A_SIGNUP_SIGNIN" // defaults to /signin-oidc
},
JSON file:
When I ran the above web application, it took me to below web page:
After selecting Sign Up/In, I got the login screen like below:
When I entered my credentials, I logged in to the application successfully like below:
When I clicked on Sign Out, it showed me below screen by signing me out:
After a long research I found this article/sample, where the Microsoft.Identity.UI framework is replaced with the Microsoft.AspNetCore.Authentication.AzureADB2C.UI.
However, with the https://myDomain.b2clogin.com url I still get the same error, using the custom domain it works, that's enough for me.
I am involved in a project to build a new Azure AD B2C IDP and need to support some legacy Saml2 SPs. These login requests include a RequestedAuthnContext element and require PasswordProtectedTransport, however the Saml response from B2C has an AuthnContextClassRef of unspecified in the assertion and therefore is being rejected by the SP. So far I have been unable to find any information on how to set this from within a custom policy. Is anyone able to confirm whether or not this is actually possible and if so what is involved?
• Yes, you can configure the ‘AuthContext.xml’ or the ‘LoginHandler.xml’ file for the SAML response on the IdP side (Azure AD B2C if it is) with the authentication methods to be responded to the service provider (SP) with SAML 2.0 protocol. The authentication method set in the assertion for ‘RequestedAuthnContext’ should be as the following example SAML request: -
‘ <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-
8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0"
AssertionConsumerServiceIndex="0" >
<saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest> ‘
• Also, the ‘AuthnContextClassref’ of ‘unspecified’ as received by you in the SAML response implies that any authentication method that the service provider chooses can be used for authentication. Thus, the IdP responds with ‘PasswordProtectedtransport’ as the preferred choice of token issuing method and indirectly states that the preferred method authentication is not specified in the SAML request.
Please find the below link for reference on the ‘RequestedAuthnContext’ parameter: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#requestauthncontext
When users click logout, I'm redirecting them to "/Shibboleth.sso/Logout"
This successfully brings them to the Microsoft logout page, then they get redirected back to the SP.
However, as they return to the SP they get a SOAP error message.
opensaml::BindingException
The system encountered an error at Wed Sep 30 19:13:08 2020
To report this problem, please contact the site administrator at help#example.com.
Please include the following message in any email:
opensaml::BindingException at (https://app/Shibboleth.sso/SLO/SOAP)
Invalid content type for SOAP message.
When configuring the SP on Azure, I uploaded the metadata as-is.
This populated the fields on Azure, and things mostly worked.
However, it pulled the logout url as the first entry from the metadata:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://app/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://app/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://app/Shibboleth.sso/SLO/Artifact"/>
Rather than using the SOAP url, instead Azure should be using the "https://app/Shibboleth.sso/SLO/Redirect" location.
I keep getting "AADSTS75005: The request is not a valid Saml2 protocol message." when I try to send an AuthnRequest to Azure AD/idp.
The XML looks like this before I zip it, convert to base64string and url encode the message.
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f" Version="2.0" IssueInstant="2016-11-14T14:28:27.5450323Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{homepage url registered in azure app registrations}</Issuer></samlp:AuthnRequest>
the user is being redirect to https://login.microsoftonline.com/{SAML-P Sign-On Endpoint from endpoints in app in azure}/saml2?SAMLRequest={encoded saml request removed}
The same works when I send it to an other SAML2 idp (which use SimpleSAMLphp)
the web browser will be redirect to https://login.windows.net/{endpoint id}/saml2?SAMLRequest=jZBLasMwFEW3YjRXbKny72EbAqVgaCkkbQedBEVWiKktuXrP%2faytgy6pW6hJhoXQ6YV7OPf%2bfH1XqMdhgvVMR7exr7NFij7GwWHN5uDAa%2bwRnB4tAhnYru9uQa4SGC3pTpNmUXtds77rrCjy9KB4LpXian%2bV8aJLUl6Wpdknytg0y1n0ZAP23tVsQSxNxNm2Dkk7WqJEZFwILtSDlCBSkHIlZCbLtHhmZyU4uV4Wm4Inb%2fzAmurED%2f9ZoxFtoMWMNUeiCSGOx8%2fHTbu78WG3JW1e7t9sOAz%2bvYrP1KaK%2fx7X%2fAI%3d
As #Steve already mentioned above, the problem seems to be with the way you are deflating/encoding the AuthenticationRequest. Try using the sample code at https://stackoverflow.com/a/25155050/983244, assuming that you are using .NET ( You mentioned DeflateStream ).
I would also clear out the namespace declarations so that your AuthnRequest looks like
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ide13dd575-3f6c-4131-9b9d-e12c644cf18f"
Version="2.0"
IssueInstant="2016-11-14T14:28:27.5450323Z">
<saml:Issuer>{homepage url registered in azure app registrations}</saml:Issuer>
</samlp:AuthnRequest>
I found the problem to this. I created the app in the new azure portal. It show the endpoint to be https://login.windows.net/{myid}/saml2
I created a new app in the old portal and now it shows the endpoint to be https://login.microsoftonline.com/{myid}/saml2
If I look at the both apps created (one in the new and one in the old portal) in the old portal, it show https://login.microsoftonline.com/{myid}/saml2
if I do the same in the new portal, it shows https://login.windows.net/{myid}/saml2 on both aps.
So there was not any error with my code, but the Azure AD portal is reporting invalid endpoints in the new portal.
I have taken over part of a project from a colleague that uses Azure AD B2C.
At the moment we use the list of users in the old Azure portal to get the authentication tokens of users, which we can then tie in with the user entries in our own database. I.e. we copy-and-paste from the columns here:
It would be far more sensible to do this programatically.
The article Azure AD B2C Preview: Use the Graph API includes sample code to download. To get it running I needed these things:
<appSettings>
<add key="b2c:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />
<add key="b2c:ClientId" value="[Enter the client ID (a.k.a AppPrincipalId) as obtained from the Azure AD Powershell, e.g. 82692da5-a86f-44c9-9d53-2f88d52b478b]" />
<add key="b2c:ClientSecret" value="[Enter the client secret that you generated, e.g. ONHJGaI232VenJIboyg8hmTlyNXh0Ef0brRRRNWBRfc=]" />
</appSettings>
I can get the Tenant and the Application ID from the new Azure Portal portal:
and my colleague has passed me the client secret from when he made the directory.
Following the article I now compile the app and run
B2C Get-User
But instead of the expected list of users from our Azure AD B2C directory I get the error message
AADSTS70001: Application my-app-id is not supported for this API version.
Trace ID: a-guid
Correlation ID: another-guid
Timestamp: 2016-07-15 10:27:15Z
How do I programmatically get the users in my Azure AD B2C directory?
Run the powershell commands from here to register a new service principal:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
This new service principal has it's own appId, and it's own client secret.
You mixed some of these (the AppId you chose is from an B2C application, not a B2C/AD Service principal)