I am trying to understand how to perform a logout in Azure B2C (I have a custom policy setup for SAML authentication), from my understanding there are two types of bindings, HTTP-Post and HTTP-Redirect. I checked the metadata file and it has both listed. I assume I can simply log-out the user by redirecting them to the URL listed is the metadata file:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://TENANT.b2clogin.com/TENANT.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/logout" />
When I do that, I get a generic Azure error page:
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Why does it even say "signing you in", I am not sure. Am I doing something incorrectly here?
Is there more information I should be passing? I even tried using the post_logout_redirect_uri query string param and that doesn't work either.
Related
I've been attempting to authenticate requests to an Azure App Service for some time now and I'm completely stumped, I just can't seem to get the Microsoft.Azure.Mobile.Client to accept and successfully authenticate against a known "good" token.
Overall, all I want is to be able to successfully pull up a web browser in Xamarin Forms, authenticate the user either with Azure, Google or other social authentication, and then use a token to authenticate against an Azure App Service (EasyTables), which I already have running but without authentication enabled. For some reason none of the resources I've found have provided an clear way of doing this, and I'd be grateful for any help.
Here's the main config of what I have so far:
I've got an app successfully reading and saving data tables to an Azure-hosting EasyTables implementation. Tables are read (and written) using the standard form:
var locations = (await App.MobileService.GetTable<Location>().ToListAsync());
The MobileServiceClient is instantiated in the App.xaml.cs file as follows:
public static MobileServiceClient MobileService = new MobileServiceClient("https://mywebapp.azurewebsites.net");
As I say above, this works fine when access to and saving from online services.
Going to the Azure Portal, I've activated "App Service Authentication" under Settings --> Authentication / Authorization, and I've also set up an Azure Active Directory Authentication Provider. Under this provider I've set up the Client ID of an Azure Active Directory instance (under Manage --> App Registrations).
Going back to Xamarin, I have successfully managed to authenticate against this using the approach by Steven Thewissen here. In particular, I've created an "MSAuthService" helper, which successfully pulls up a web browser, allows you to log in with Microsoft credentials, following which it's able to retrieve your account name and verious other things from Microsoft Graph - including the Access Token.
I'm now trying to use this access token to log into the MobileService I'm using to access EasyTables, using the following:
JObject auth_token_jobject = new JObject();
auth_token_jobject["authenticationToken"] = token;
var output = await App.MobileService.LoginAsync(
MobileServiceAuthenticationProvider.MicrosoftAccount,
auth_token_jobject);
However, whenever I do this, I still get an "Unauthorized" error, produced by the last line above.
I understand that others (e.g. here seemed also to have the same problem, but no resolution on that post.
Other things that I've tried, but haven't managed to get working completely. As above, the closest I've got, by successfully authenticating albeit through Microsoft Graph rather than with my web service specifically, is the process above:
Overview of Authorization with EasyTables etc here - although this doesn't seem to provide any clear code for Xamarin to authenticate against.
Latest Xamarin blog and explanatory materials (here and here, but although the process using await WebAuthenticator.AuthenticateAsync method appears to be a lot simpler than the example I was using above, there doesn't seem to be any detail provided about how you generate the URI required to call the authentication page, nor a step by step guide of how to implement it. Either way, I haven't managed to get it working...
If anyone has an easy way of getting hold of a valid token and then providing it to the MobileService client, I'd be most grateful. I suspect it's as simple of getting the token called back, for example from a Xamarin Essentials WebAuthenticator above, and then passing it with var output = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount,auth_token_jobject) but I just can't seem to get it working so far.
Thanks a lot!
Oliver.
There are a couple of issues here (on re-reading it a few times)
You are using MobileServiceAuthenticationProvider.MicrosoftAccount - you should be using "aad" instead.
AAD needs an access token - see https://learn.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#validate-tokens-from-providers for the details on what needs to be provided.
If the token you get back is really an MSA token, then you still need to provide an access_token field (and not an authenticationToken field)
If you don't need anything special, you should be able to just use .login() like this:
await App.MobileService.LoginAsync("aad", "your-method");
For more details on this, see one of the authentica
How can I change the identity, as an IDP, of the WSO2 IS?
It seems to always call itself localhost!
Some context...
I have deployed an IS and are trying to authenticate against it using SAML2.
Every single example I can find on the internet deploys IS on the same server as the SP, so the IS is on localhost! (by the way, I do arrive at a working IS-SP login on a single computer)
But this is not my case, SP and IS are on two different VMs. When I try to authenticate, after logging in, I get an error:
Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'localhost' because it isn't a valid IdP for this SP.
I think this error is on the SP side, generated by simpleSamlPhp.
From what I understand, this means that:
* the SP calls the IDP (IS) with a given IDP id (not localhost!) and SP id
* the IDP manages to ask us for login/passwd
* the IDP sends a SAML2 message to the SP
-> here, the IDP probably calls itself "localhost"
* the SP tries to get config (metadata?) for localhost and can't find any!
So the question is: how can I change the IDP id that the IS uses to answer?
I have changed the server name in carbon.xml, and I have changed every localhost I could find in identities.xml, but to no avail.
Thanks for any tips!
in the management portal of WSO2 IS
go to Main / Identity Providers / List
Click on "Resident Identity Provider"
Expand "Inbound Authentication Configuration"
Expand "SAML2 Web SSO Configuration"
Fill in the "Identity Provider Entity Id:"
Note that, without knownledge of the keyword "resident", I have not found this information in any doc or web page or blog.
All examples are provided with localhost.
The place this configuration is stored in not intuitive: going to "identity providers" gives a message "No Identity Providers registered", so it's easy to ignore that this is the page where this configuration lies. The link looks like a title. Subtle, but may lose a lot of time! :-)
WSO2 make great products, but tutorials and docs would benefit from being more open or diverse, I don't know. For example one can call an endpoint "localhost/saml", but is there any other way to call it? What will change? Is there an example somewhere of a deployment with lots of strange and distinct values for fields, "foo", "bar", etc?
Hope this helps others, via google search at least! :-)
Without changing anything in my web.config nor anything else that in my knowlage should have any impact on my application's authentication through AAD, I receive this Error:
AADSTS20031: The supplied wctx is not valid. This can be caused by
caching redirect responses or using an incorrect URL to access the
service.
I did published an update, but as far as I know it does not have anything to do with it.
If I open a new tab and log-in to my application I am authenticated. the problem seems to be with the redirection to my application.
I will appreciate any lead on how to overcome this obstacle.
I have scenario where we use Thinktecture Identity Server (IdSrv) as both an R-STS and a IP-STS, as well as a O365 / WAAD tentant as an additional IP-STS. The user choose which Identity Provider to use via the Home Realm Discovery functionality in IdSrv.
Now, implementing a unified WS-Federation wsignout from the RP, is difficult, since I can't get the signout process to work properly against WAAD (Against the Thinktecture IP-STS it works fine);
Sorry, but we're having trouble signing you out.
We received a bad sign-out request.
If you wish to sign-out, please click the following link.
ACS20028: The requested redirection URL is invalid.
Well, the wreply URL parameter points to the RP, which the WAAD instance has no knowledge of.
If I try to follow the Sign-Out link, I get
Sorry, but we're having trouble signing you out.
We received a bad request.
ACS20026: The wtrealm parameter is missing or incorrect.
I've tried to modify the URL directly so that its wreply points to the IdSrv (which really is an RP of the WAAD), but I can't get it to work.
Has anyone gotten this to work?
We're building an application which uses ACS. Our usage scenario looks like this:
The user gets a URL like this one https://our.application.com/?requestId=123456 via email and clicks on it
The user gets redirected to the LiveID login screen
After logging in, ACS forwards the user to us, but to https://our.application.com/
Unfortunately, it seems that the "Return URL" setting in the "Relaying Party" on the "Access Control Service Portal" is just a fixed string. Is there a way to propagate the original request to it? If not, what would you suggest as a workaround?
The answer is actually yes, but not without a little work. In step 3, your return URL is being overridden by the one you have configured in your ACS RP by the default ACS login page. This is the page, which ACS hosts for you by default, where you choose your identity provider. (You may not always see it in the browser; it will redirect automatically if you only have one IDP configured.)
You can tell ACS to use a custom login page that you host yourself so that this original URL gets saved. You can download the default ACS login page from ACS portal as something to work off of.
The tricky part comes from the fact that different identity providers using different protocols use different mechanisms to save this original URL.
Some further discussion and code samples about this can be found here, and you might find further solutions to this problem elsewhere on the web:
How do I get the return URL working properly again after downloading a login page from Azure ACS?
I believe the answer's no, and I would suggest using a cookie to store the parameter.
If you want to provide a "returnUrl" via ACS + Microsoft Account you can query the ACS login pages via the IdentitiyProviders.js and pass a "context", e.g.: https://MyACS.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=MyRealm&reply_to=&context=foooobar&request_id=&version=1.0&callback=&wfresh=0
As a result you will get the Login-URL for Microsoft Account with the wctx parameter:
https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=...&wp=MBI_FED_SSL&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPXVybiUzYW9uZW9mZml4eCUzYWRldiUzYWRlZmF1bHQmY3g9Zm9vb29iYXI1 <-- foobar.
After the login process your configured returnUrl is invoked with the wctx parameter (in my example you will get "foobar").