I've beed trying to get azure-ad-b2c to be a IDP with localaccounts for Splunk SAML SSO.
with
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
Presently I've got different error messages like
Verification of SAML assertion using the IDP's certificate provided
failed. Unknown signer of SAML response
Verification of SAML
assertion using the IDP's certificate provided failed. Error: failed
to verify signature with cert
Also, given I get this to work, I still need to extract security group association and exposed to Splunk. I think this article is relevant....
Anyone have a good writeup to get this going?
Brgds
Kristen
If this is a new B2C setup, have you used the MS Azure test app to verify?
https://samltestapp2.azurewebsites.net/SP
Based on the error, it sounds like Splunk needs to trust the certificate used for SAML signatures.
Related
I have a validate-jwt instruction in my APIM API policy (<inbound> section).
I am sending a hopefully correct token in a header and the request still fails.
What would be the way to find out from the APIM which specific JWT token validation check has failed?
I have figured out how to do the logging.
Enable Application Insights for APIM, set 100% sampling for your desired API and enable necessary flags (see Application Insights for APIM.
In the designated Application Insights instance, the JWT token issues are found if you query
exceptions
| where type contains "Token"
Note that type is different depending on what is wrong with the JWT token, but I am speculating that all relevant types might start with "Token..."
so you get something like
IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/(abriged UUID)/'. Did not match: validationParameters.ValidIssuer: '' or validationParameters.ValidIssuers: 'https://login.microsoftonline.com/{tenantid}/v2.0'.
outerMethod
validate-jwt
Also, from App Insights' Application map one can click through to failed requests and drill down to exceptions arriving at similar log outputs.
Have you checked that the JWT is in fact valid? To do this you can paste the whole token value to https://jwt.ms in order to decode the token to see if you are missing any information.
If the token is valid, I would suggest setting up Application Insights for APIM if you haven't done that already and see if you can get any more relevant information from the logs there.
I'm facing an issue with AzureB2C and SSO.
I've got a custom policy and a UserFlow, both using SingleSignOn-Scope "tenant" and both use the same federated IdP (AzureAD).
Now, when using the one flow for signing in, SSO is working. But when signed in and switching to another app which is using the other flow, I get "We're having trouble signing you in..."
Regarding the custom policy, I did not change the SSO technical profiles from the starter pack, nor adding any other claims to the relying party. The output token of both flows look the same
Any idea what could be wrong or how I could debug this?
Ok, I found out what's going on here.
In fact, UserFlows use different signing keys then custom policies. UserFlows include some reference to Microsoft-internal keys which cannot be used in custom policies.
Therefore, I guess, the session cookie is encrypted differently and cannot be used accross UserFlows-CustomPolicies.
The same happens if you protect your Api with a UserFlow-Policy and you have your UI use a CustomPolicy. The API will throw an invalid signature exception.
Conclusion:
You either stay with customPolicies or UserFlows throughout your entire infrastructure.
(Somebody should actually address this to Microsoft)
I am using the Microsoft Graph API along with Microsoft Authentication Library (MSAL) to acquire access tokens and I can successfully retrieve the access token, id token and refresh token. I can also successfully validate the id token. However, I cannot do the same for the access token as I'm getting this error:
raise InvalidSignatureError('Signature verification failed')
jwt.exceptions.InvalidSignatureError: Signature verification failed
I've reviewed as best as I can the microsoft documentation regarding validation here:
Microsoft identity platform access tokens
For validation, I can successfully decode using the jwt.ms site for jwt validation. So I know the tokens are good. I can see from the decode the claims and extract the aud(audience) and iss(issuer). These values are not the same for the id token (which I can successfully validate).
I am using the public keys from the following url as documented:
https://login.microsoftonline.com/<TENANT ID>/discovery/keys
So, what I missing in regards to validating the access token? (if I can validate the id token with no issues). How else can i troubleshoot this?
Jim's answer is correct and there are 2 use cases really - so it depends what you are trying to do:
Getting an access token for Microsoft resources - such as Graph - in which case you don't validate them
Getting a token for your own API resources, in which case you need to validate them. For this to work you need to 'expose an API scope' to get a different type of access token
Behaviour is not intuitive in my opinion, since I like to build standards based solutions. If it helps, here is a visual blog post of mine on getting the second scenario above working.
As far as I knew, we do not need to validate Microsoft graph signature. Because MsGraph recognized an opportunity to improve security for users. They achieved this by putting a ‘nonce’ into the jwt header. The JWS is signed with a SHA2 of the nonce, the nonce is replaced before the JWS is serialized. To Validate this token, the nonce will need to be replaced with the SHA2 of the nonce in the header. Now this can change since there is no public contract. So When calling Microsoft Graph, you should treat access tokens as opaque. For more details, please refer here and here
I have a JWT retrieved using a usernamemixed endpoint in ADFS 3.0 and now I need to validate this token from a node.js application. How do I achieve this? I know how to validate this token from a WebAPI. I need to do pretty much the same thing in Node.js application. Can I rely just on validating signature of the token(Token Signing Certificate) in node.js, can it be spoofed?
Token validation includes signature checks, but that's not all; you need to check for validation, audience, issuer, etc etc (see http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/).
This is normally achieved by using a validation library that reads the issuer metadata and uses it to validate incoming tokens. If you'd be using ADFS "4.0" you could simply take the Azure AD web API node sample in https://github.com/Azure-Samples/active-directory-node-webapi and point it to ADFS instead. ADFS "3.0" doesn't expose metadata using the openid connect discovery spec, used by that sample, hence the code won't work as-is. However it does provide the same info in its ws-federation metadata doc. If you implement the same scenario using the ASP.NET middleware and capture the network trace, you'll see how you can implement the same check yourself. If you can upgrade your ADFS instance to "4.0", that would be vastly preferable - way less custom code necessary.
This is a basic question about SAML protocol and how it specifies verification of a SAML token.
Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token.
I am interested in clarifying step 5 (Request the Assertion Consumer Service at the SP) from wikiSAMPL_wiki.
Mainly token verification is done on Service Provider without additional calls to IdP.
Token validation consists of the 3 steps:
1.Verify token is well-formed
2.Verify token is coming from the intended authority
3.Verify token is meant for the current application
Is this assumption right ?
From a very high level, yes, your three steps are correct.
More specific:
1 will include decoding the base64 encoded response, checking against
schema, etc.
2 will be done via signature validation, checking the authority,
seeing if it's a response to a sent AuthnRequest and matching it,
etc.
3 comes from checking the relay state and ensuring that it is a
location that is "protected" by the service provider