I am trying to set up OKTA as an external identity provider in Azure B2C with custom policies. When I try to sign in, I receive the following error
AADB2C90289: We encountered an error connecting to the identity provider.
Please try again later.
Correlation ID: xxx
Timestamp: 2021-10-14 16:53:12Z
I have followed this tutorial - https://learn.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy.
I also followed a number of articles on this but no concrete solution anywhere.
Related
I have successfully configured an external identity provider using Azure AD B2C Custom policy. The authorize endpoint is passed correct acr_values too. As I launch the authorize endpoint, I am taken to the login screen from identity provider. As soon as I enter my credentials and hit 'Login',I expect the authentication response to be redirected to my B2C /auth/resp URL (https://<>.b2clogin.com/<>.onmicrosoft.com/oauth2/authresp), configured with the identity provider.
However, I end up getting an exception as below -
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: ef54294f-2a9d-4e18-bc03-511bcc713cde
Timestamp: 2022-10-10 04:04:09Z
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 42dc0316-16d5-4f5b-9552-6cc4d2f3e233
Timestamp: 2022-10-10 09:38:51Z
I have also tried verifying the client_id and client_secret being used and that seems to be fine. Moreover, logs on the identity provider side mention that the request was successful.
Awaiting quick responses, as this blocks my application completely.
Application Insights details -
Exception Message:An internal error has occurred., CorrelationID:145303ec-b8e8-4fc1-bd5d-6649bd1fb77f
I tried to reproduce the same in my environment:
This error , AADB2C90289: We encountered an error “” connecting to the identity provider. Please try again later. occurred ,
when I haven’t given the clientSecret of the app correctly in the azure ad b2c.
I kept it to generate.
Later I manually changed the policy keys and gave the application client secret in the key value.
In your external Identity provider technical profile, make sure to -provide the clientId of that particular Identity provider
Ex:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!Below replace clientId with the externalIdentity provider App/ClientId "-->
<Item Key="client_id">XXX0000XXX</Item>
....
Looking for some answer. First time using Azure AD for authentication on ASP.Net Core and we have registered the app on azure for both my local and Dev-Server. Its working running on my laptop but after deploying to Dev server and changing the Client ID Value, it keeps giving me this error
*SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'.
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()*
Thank you in advance.
Danny
Thank you #User 45323833 posting your suggestion as an answer to help other community members.
" Solution from Microsoft: This problem caused due to your app registration:
May you have defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
If a scope will be set from Graph API, the token can just be validated from Graph!
You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
To solve the problem please follow the below steps :
To protect our own custom API, you have to register an application to represent it on Azure AD and obtain an access_token/id_token for it.
Section - Expose an API: Create a new scope: name = access_as_user
Section - API permissions: Add a new permission for your registered application and your scope access_as_user
Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfully validated."
For more information please refer this GitHub issue IDX10511: Signature validation failed. Keys tried: & Microsoft Documentation: Azure AD authentication with ASP.Net core web application
I have been following after this guide step by step:
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi
The only thing that I didn't do (not sure if its related) is the following line:
"Also in the ToGoAPI project, open the file Controllers/ToGoListController.cs. In the [EnableCors...] attribute, enter the location of the To Do SPA client. By default it is https://localhost:44326. Make sure to omit the trailing slash.
"
The reason I didn't do it is simply because I can't find any [EnableCors...] in the code. I did try to enable CORS in a different way though. following this:
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api#enable-cors
Anyway, I get the following error:
"Error :invalid_resource
adal.js:973 Error description:AADSTS500011: The resource principal named https://yorecisraportsco.onmicrosoft.com/ToGoAPI was not found in the tenant named yorecisraportsco.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 64213edc-4b12-4caa-aa4e-b9ec82bd3000
Correlation ID: 607d25c1-d915-46eb-ba48-67adb70ddab8
Timestamp: 2019-03-04 12:41:33Z"
I am not sure why this is happning as I followed the guide - configured everything in Azure like it said and also configured it in the code.
I'm trying to setup an Azure AD B2C account in MVC 5 App. But after follow all tutorials in Azure docs I'm getting an strange error, maybe is a wrong configuration or something related, but I follow the guides step by step and still getting de error.
When I ran my SignUp Policy, and enter all required claims (currently only EmailAddress, GivenName and SurName), then I click on created and I got an AuthenticationFailed notification in my website, with the following exception:
AADB2C90063: The B2C service has an internal error.
Correlation ID: 859eabf9-9e21-44af-9219-1857e38e9ab2
Timestamp: 2016-06-14 03:37:06Z
If I create the user in the directory manually via Azure Management Portal (http://manage.windowsazure.com/), I can log in in the app and list all claims, but I can't sign up because I always got above error.
i am playing around with the azure free triel and followed this tutorial (http://haishibai.blogspot.de/2012/11/complete-walkthrough-setting-up-adfs-20.html) titled "Setting up a ADFS 2.0 Server on Windows Azure IaaS and Configuring it as an Identity Provider in Windows Azure ACS".
When it comes to starting the MVC Web Application i am confronted with the following in the browser:
An error occurred while processing your request. HTTP Error Code: 400
Message: ACS20000: An error occurred while processing a WS-Federation
sign-in request. Inner Message: ACS50001: Relying party with realm
'https://ACS-NAMESPACE.accesscontrol.windows.net/' was not found. Trace ID:
64827ce0-71d2-49bf-996c-aadf23779fc7 Timestamp: 2012-12-13 22:17:12Z
Where ACS-NAMESPACE is the name of my ACS namespace.
I can say that i followed the steps given in the tutorial correctly, as i went through it several times. However, i can not figure our what the problem with my realm specification is.
Note: When i am configuring google or windows live as identity providers in ACS and not ADFS everything works.
Thanks,
David
The realm should be the URL of your MVC Web Application not the ACS URL - see http://msdn.microsoft.com/en-us/library/windowsazure/gg185906.aspx#BKMK_1 for an explanation.
If the realm is not found on ACS it is probably incorrectly configured as a ServicePrincipal on the WAAD Management service using powershell.
Please check the following and make sure you are configuring the correct ACS Namespace (and not the WAAD Tenant Name):
See if it is listed correctly by using
Get-MsolServicePrincipal
To create another one use following cmds:
$replyUrl = New-MsolServicePrincipalAddresses -Address "https://ACSNAMESPACE.accesscontrol.windows.net/"
New-MsolServicePrincipal -ServicePrincipalNames #("https://ACSNAMESPACE.accesscontrol.windows
.net/") -DisplayName "ACSNAMESPACE Namespace" -Addresses $replyUrl