I am getting the error,"aadb2c90243: the idps client key/secret is not properly configured" on android application that I have setup for authentication with Azure ADB2C. The error occurs when I press on the Microsoft social login that is amongst my social logins in the specified user flow. Any ideas?
• Please check whether your OAuth redirect URIs are correct or not, also, they should not be expired or invalid, i.e., they should be ‘ https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp ’ or ‘ https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp ’. There should be no trace of ‘login.microsoftonline.com’ in the redirect URIs in the android version of the app configured for logging into the Microsoft personal accounts.
• Please check the ‘APP ID’ and the corresponding ‘App secret’ created for logging into the Microsoft social accounts through your app page. As it may be conflicting to login with the Microsoft social personal accounts using the Azure AD B2C authentication. Thus, would suggest you to please check the redirect URIs for the app configured in Azure AD B2C authentication user flow.
Please refer the below link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-custom-policy
Related
I’m struggling with configuring Azure AD B2C so it supports: Multitenants and external identity providers at the same. I have a SPA application (in Angular, using MSAL.js) with .NET backend (.NET 4.8). I have configured “Identity providers” and followed a tutorial from active-directory-b2c-custom-policy-starterpack sample. My app is registered in Azure. It has Authentication links configured (I tried https://xxx.b2clogin.com/xxx.onmicrosoft.com/oauth2/authresp for both WEB and SPA authentications). It has API permissions to Microsoft Graph.
No success so far. Current error: AADB2C90273: An invalid response was received : 'Error: unsupported_response_type,Error Description: AADSTS70005: 'The application requested an unsupported response type '' when requesting a token.
I suspect that the custom policy XML file is misconfigured. Unfortunately, what I miss is a general overview how the solution supposed to work. That’s why I have the following questions. I’ll applicate any additional hints on the topic.
Questions:
When user authenticates with external identity provider (e.g., Facebook, LinkedIn, external SSO) will an account be created for him in Azure Active Directory B2C?
Multitenant administrators have to add permissions to their users in order to use my app? How can they do that?
AADSTS70005: 'The application requested an unsupported response type '' when requesting a token. – where can I configure the response type for “this” application?
Based on the error AADSTS70005, it shows that this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Workaround is to allow all user consent for apps from the “consent and permissions” blade of the enterprise applications.
Ref: Configure User consent settings:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal#configure-user-consent-settings
We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
We have referred below links as reference for setup:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
https://developer.okta.com/docs/guides/custom-url-domain/overview/
What we did so far?
Registered company "example.com" in okta. By default okta configures it as "example.okta.com"
Registered custom domain "id.example.com". Our okta instance is accessible using this domain
Created an enterprise SAML app (which also exist in Azure AD) in OKTA
Exported OKTA IDP metadata
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
Error Messages:
For domain as "id.example.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
For domain as "example.okta.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
You need to go through the Azure AD federation compatibility list to learn about how to federate an Azure AD tenant with a 3rd party IDP like Okta and others.
#Kalyan Krishna
Hi,
Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
IDP initiated SSO fails with OKTA as an IDP in Azure
We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.
Last few weeks I'm trying to solve one BIG problem with Azure Active Directory and Oauth authorization.
Now we have Azure AD tenant and API application in that tenant. We use it for Oauth and Office 365 API. Everything is ok, except one thing - our users cant change their passwords by themselves, they have to write administrators (>10K users). We want to enable ADFS and give them ability to change password.
We tried few times to enable ADFS and change auth type from Managed to Federated, but after that users cant log in our app.
If they click "log in" in our application it opens URL like:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=...&resource=https://outlook.office365.com/
When they try to sign in there they get error:
"User account ... from external identity provider ... is not supported for application ..."
AND!
If they sign in first in ADFS and after that sign in application - everything is ok.
So, what should we do to rnable ADFS and use API applications?
Sorry for bad description and bad english.
I am developing a web application with Windows Azure Active Directory (WAAD) authentication support. In WAAD I added a user which already has a Microsoft Account.
I use SAML 2.0 protocol for authentication request.
In my app upon accessing a protected resource, I redirect the user to:
https://login.windows.net/<id>/saml2/SAMLRequest=...&RelayState=...
This is URL I copied from the WAAD management console:
The decoded SAML token looks like:
<samlp:AuthnRequest ForceAuthn="false"
ID="b6f579bb-c7fc-49b1-a8f1-bbe2ad99da5d"
IsPassive="false"
IssueInstant="2014-07-25T06:38:11.303Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:Issuer>....onMicrosoft.com</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
This is working great, I am redirected to
https://login.microsoftonline.com/...
https://login.live.com/...
However, upon autheticating with a Microsoft Account user (which is also imported into WAAD), I get this error message:
ACS20031: Sign-in with LiveId is not supported for this application.
What am I missing?
On the WAAD web admin console I did not see such a setting. I tried both Single Tenant / Multitenant options
Is there a possibility to login with a simple WAAD user (not LiveId) with foobar#<tenantid>.onmicrosoft.com ?
To my knowledge no.
Up to today, the only way to get users signed-in with Live ID to your Application are the following:
Use Azure Active Directory Access Control Service (or better known as ACS)
Use the LiveID Web Authentication SDK
Use the Azure Active Directory with a remark. The remark is:
** You can only use LiveID to sign-in with Azure Active directory, if you first provisioned that user in your directory tenant. Provisioning happens when you create a new user in your Azure Active Directory Tenant and in the process of adding, add it as a LiveID e-mail. Then you will have this user in your AAD but marked as "Sourced From" -> "Microsoft Account":
The type of federation you are trying to enforce currently only works for Microsoft Internal applications, and not for customers. The only federation service that currently works for Customers is the Access Control Service.
Here you can read a bit about the future of ACS and the plans to merge these federation capabilities into next versions of AAD. But we still haven't got to that future.