I am having problems integrating Keycloak and Azure AD for authenticating access to a Web App.
I followed the instructions here, however at the stage of adding the Application ID URI we get this error:
Could someone explain what the issue might be? Is the verified domain of the Azure Organization, or Keycloak?
Thanks in advance.
Looks like my issue is due to this MS change.
Fix is to add a 'Custom Domain', https://azure.github.io/AppService/2020/07/28/zero_to_hero_pt5.html.
Related
I am facing an issue with GCP and unmanaged users.
After using the transfer tool to invite someone in the organization, he unfortunately didn't read the email and the invitation timed out.
For some reasons I was not able to resend the invitation so I instead decided to create a new user.
However he keeps getting the following error now:
I checked the logs and I figured he is not using the same login type as other peoples, SAML is me and Google password being the user having the issue.
Can anyone help me on how to enforce using SAML on the authentication?
I am using Azure AD as IdP.
Thanks
This worked for me so I'll leave it here in case anyone struggle with the same issues.
In Azure Portal, select Enterprise Application and look for Google.
Then select Google Cloud/ G Suite connector
In Single sign-on ensure the contoso.com is replaced by your dns and ensure the last part framed in red is accurate to your own requirements.
Finally make sure you've enabled provisioning to have your users actually provisionned from Azure and not created in Google Workspace only.
I have a Sonarqube hosted VM in Azure, I tried to integrate with AAD, created the App Registration and given all the details like client ID, Tenant ID, etc. Unfortunately the Sonarqube is hosted without SSL, So i changed the URL from General Settings. But still i'm getting the error "You're not authorized to access this page. Please contact the administrator."
I would suggest checking the limitations for Redirect URIs for Azure AD App Registrations listed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Also make sure the app registration is done correctly. You can follow the steps mentioned here: https://learn.microsoft.com/en-us/graph/auth-register-app-v2
In case the details shared above doesn't help in fixing the authorization error, we would like to understand the actual error code AAD is throwing to SonarCube along with the correlationID and timestamp so that we can check some backend logs based on those.
I'm trying to get an AspNet Core 2.1 website to authenticate via Azure AD B2C. I've configured the Google and Microsoft Account signups in my tenant per the online instructions I found (e.g., this for Google).
But neither signup/signin option works. Links to them display on the default Azure AD B2C login page, but clicking the links triggers an error:
for Google, it causes a redirect_uri_mismatch error
for Microsoft Account, it returns a "we're experiencing technical
difficulties" error page, which has persisted for more than 24 hours,
so I doubt there's been any kind of outage
This is all occurring in a development environment, so I'm not using a publicly-registered domain (e.g., the reply uris all point back to localhost). Is that possibly the problem? If so, how do I set up the development environment correctly?
Additional Info
I solved the problem with the google identity provider.
But I'm still getting the same error with the Microsoft Account provider. However, I just noticed that there's an error message buried within the URL for the error page which doesn't get displayed on the page itself:
error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
The first suggestion in the error message -- targeting login.live.com -- doesn't work. The Microsoft Application Portal complains about a domain mismatch.
But I don't see how to apply the second suggestion, because I don't know where the redirect_uri is generated by/stored in my web app (i.e., I defined the redirect uri in the Microsoft Application Portal, but I don't see a corresponding configuration parameter in my webapp).
Ensure that you are registering the same base reply urls in your social providers, that your application is calling from B2C.
For example:
You if your app calls https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize then the reply url in your social provider should be https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp
However, some app examples call https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/v2.0/authorize (notice the "te") so you therefore need to add a reply URL of https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/authresp
I generally add both.
Are you able to sign-up with the local email account at first?, if not this link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app
would be helpful which has a sample web app and the steps, once you are able to sing-up and authenticate , you can add identity providers as Google, Microsoft, Facebook etc., and then you can edit the sign-up or sign-in policies and add the identity providers of Google, Microsoft etc.,
I hope this helps, cheers!! please let me know if you face any issues
Suraj Revankar
Turns out the documentation I was following for setting up the MicrosoftAccount identity app was incorrect, or I was following the wrong instructions.
Basically, you need to redirect to
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
not
https://localhost:[port#]/signin-oidc
like the documentation I was originally following suggested.
Check out this question and answer for more details.
I have an Azure based web application (developed with Service Fabric framework) and when I am trying to access the token required for authorization, I am getting a below error message
AADSTS50001: The application named https://b2bxxx.com/ was not found in the tenant named xxx-xxx-xxx-Xxx-xxxx
Could some one please look provide a fix to this issue.
Rakesh.
I've been banging my head against a wall with this issue for the last couple of days.
Consent must be granted by an Azure AD Global Admin which I assume you aren't. have a look at https://massivescale.com/microsoft-v2-endpoint-admin-consent/
Hope this sheds some light on the issue.
I've been working on a multi-tenant web application that uses Azure AD authentication, and authentication will intermittently fail with the error message: "AADSTS70002: Error validating credentials. AADSTS50012: Authentication failed." To be more clear, the steps I go through are:
Go to my web app, and click on link to go to Azure AD authentication
Enter valid user credentials for Azure
If this is the first time using my web app, Azure asks the user to grant permissions to their Azure AD information
After accepting the permissions, Azure redirects to the reply URL that I've set up in Azure AD for my application, but it replies with the aforementioned error in the URL string
The application itself is a Node.js web app that uses the Passport module for Azure AD authentication, although I don't think Passport is the source of the problem because the error I get is passed by Azure to the web application's reply URL.
I haven't had luck identifying the source, but I have seen posts from people with similar issues. I have a number of AD accounts that I use both personally and for work, and it seems that there is some remnant left in the browser's cache or local storage that causes this issue because I can switch to another browser or into incognito mode and the problem resolves itself.
I'd like to identify if this is a problem with Azure itself, the way my application handles authentication, or with my work/third party applications implement AD authentication.
I am trying to reproduce this issue using the code sample here in Chrome, however failed.
Based on the same issue link you mentioned, I noticed that the endpoint for he/she using was incorrect. To develop the multi-tenant app, we need to change the specific endpoint with common like below:
https://login.microsoftonline.com/common/
Were you using the specific endpoint? If not, would you mind sharing a code sample to help us to reproduce this issue?