I have a Sonarqube hosted VM in Azure, I tried to integrate with AAD, created the App Registration and given all the details like client ID, Tenant ID, etc. Unfortunately the Sonarqube is hosted without SSL, So i changed the URL from General Settings. But still i'm getting the error "You're not authorized to access this page. Please contact the administrator."
I would suggest checking the limitations for Redirect URIs for Azure AD App Registrations listed here: https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Also make sure the app registration is done correctly. You can follow the steps mentioned here: https://learn.microsoft.com/en-us/graph/auth-register-app-v2
In case the details shared above doesn't help in fixing the authorization error, we would like to understand the actual error code AAD is throwing to SonarCube along with the correlationID and timestamp so that we can check some backend logs based on those.
Related
I am very new to SSO and am having trouble enabling cross company SSO. I work on a React SPA and used the MSAL React Library to implement SSO for our application. I created a non-gallery Enterprise Application in Azure, and used that subscription information to validate users on the application during login. This is all working as expected.
After providing our SAML SSO configuration to companyB, the user at companyB cannot sign on and is getting the following error...
"Selected user account does not exist in tenant 'XYZ' and cannot access the application '123-456-789' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
To me, that means I need to manually add the user who is attempting to log in, but that would negate the usefulness of integrating the two Azure ADs. I've provided all of my SAML configuration to companyB, and still no luck. What could I be missing?
In order to create the link between the two Azure ADs, the user just needs to create a non gallery application with SAML SSO enabled and the SAML config, right? Any insight into this issue would be greatly appreciated!
I realized my code was configured to only work for one tenant, pointing to the common login endpoint solved this issue.
I am having problems integrating Keycloak and Azure AD for authenticating access to a Web App.
I followed the instructions here, however at the stage of adding the Application ID URI we get this error:
Could someone explain what the issue might be? Is the verified domain of the Azure Organization, or Keycloak?
Thanks in advance.
Looks like my issue is due to this MS change.
Fix is to add a 'Custom Domain', https://azure.github.io/AppService/2020/07/28/zero_to_hero_pt5.html.
I'm trying to get an AspNet Core 2.1 website to authenticate via Azure AD B2C. I've configured the Google and Microsoft Account signups in my tenant per the online instructions I found (e.g., this for Google).
But neither signup/signin option works. Links to them display on the default Azure AD B2C login page, but clicking the links triggers an error:
for Google, it causes a redirect_uri_mismatch error
for Microsoft Account, it returns a "we're experiencing technical
difficulties" error page, which has persisted for more than 24 hours,
so I doubt there's been any kind of outage
This is all occurring in a development environment, so I'm not using a publicly-registered domain (e.g., the reply uris all point back to localhost). Is that possibly the problem? If so, how do I set up the development environment correctly?
Additional Info
I solved the problem with the google identity provider.
But I'm still getting the same error with the Microsoft Account provider. However, I just noticed that there's an error message buried within the URL for the error page which doesn't get displayed on the page itself:
error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
The first suggestion in the error message -- targeting login.live.com -- doesn't work. The Microsoft Application Portal complains about a domain mismatch.
But I don't see how to apply the second suggestion, because I don't know where the redirect_uri is generated by/stored in my web app (i.e., I defined the redirect uri in the Microsoft Application Portal, but I don't see a corresponding configuration parameter in my webapp).
Ensure that you are registering the same base reply urls in your social providers, that your application is calling from B2C.
For example:
You if your app calls https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize then the reply url in your social provider should be https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp
However, some app examples call https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/v2.0/authorize (notice the "te") so you therefore need to add a reply URL of https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/authresp
I generally add both.
Are you able to sign-up with the local email account at first?, if not this link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app
would be helpful which has a sample web app and the steps, once you are able to sing-up and authenticate , you can add identity providers as Google, Microsoft, Facebook etc., and then you can edit the sign-up or sign-in policies and add the identity providers of Google, Microsoft etc.,
I hope this helps, cheers!! please let me know if you face any issues
Suraj Revankar
Turns out the documentation I was following for setting up the MicrosoftAccount identity app was incorrect, or I was following the wrong instructions.
Basically, you need to redirect to
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
not
https://localhost:[port#]/signin-oidc
like the documentation I was originally following suggested.
Check out this question and answer for more details.
We have an application (SPA frontend using ADAL.js and Backend with passport bearer) that authenticates using Azure AD.
Logging in with users from our own AD works fine, and we can get information regarding these accounts via MS Graph.
I am however not able to log in using Guest accounts.
Some guest accounts are just stuck at the login screen (the azure ad account selector screen).
And some external users belonging to other tennants give an error message that the app was not found in their subscription.
Is this a configuration error?
The app manifest says that the app is not for other tennants.
As guest users are at least entries in the AD, I was assuming I could somehow log in using these accounts for our own AD and get access that way.
Maybe a vague question
[edit]
The error message our external users see:
(I assume this is a config error and the app tries to authenticate using their tennant?)
Adding this here as an answer
Yes, I found the cause, I needed to pass the Tennant ID in the adal.js
configuration, that solved the issue
I was stuck in a similar issue where the users were stuck at the login screen.
I added the tenant id in adaljs configuration and that error got resolved.
I've been working on a multi-tenant web application that uses Azure AD authentication, and authentication will intermittently fail with the error message: "AADSTS70002: Error validating credentials. AADSTS50012: Authentication failed." To be more clear, the steps I go through are:
Go to my web app, and click on link to go to Azure AD authentication
Enter valid user credentials for Azure
If this is the first time using my web app, Azure asks the user to grant permissions to their Azure AD information
After accepting the permissions, Azure redirects to the reply URL that I've set up in Azure AD for my application, but it replies with the aforementioned error in the URL string
The application itself is a Node.js web app that uses the Passport module for Azure AD authentication, although I don't think Passport is the source of the problem because the error I get is passed by Azure to the web application's reply URL.
I haven't had luck identifying the source, but I have seen posts from people with similar issues. I have a number of AD accounts that I use both personally and for work, and it seems that there is some remnant left in the browser's cache or local storage that causes this issue because I can switch to another browser or into incognito mode and the problem resolves itself.
I'd like to identify if this is a problem with Azure itself, the way my application handles authentication, or with my work/third party applications implement AD authentication.
I am trying to reproduce this issue using the code sample here in Chrome, however failed.
Based on the same issue link you mentioned, I noticed that the endpoint for he/she using was incorrect. To develop the multi-tenant app, we need to change the specific endpoint with common like below:
https://login.microsoftonline.com/common/
Were you using the specific endpoint? If not, would you mind sharing a code sample to help us to reproduce this issue?