Am trying to combine azure b2c and sendgrid to send a custom verification code email using SendGrid.
after performing the steps mention the reference link below, am getting an error saying
Basic credentials specified for 'SendOtp' are invalid. Check that the credentials are correct and that access has been granted by the resource.
reference link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid
Stuck for entire day. any help would be appriciated.
Thanks in advance.
This may not be exactly the answer to this situation, but other times when I had the same message, it was exactly what the error said - wrong creds (username/password/token)
Azure SendGrid setup incorrect
Azure requires you to setup the SaaS solution called "Twilio SendGrid".
Did you follow the guide and did you set this up correctly?
Azure creates a SendGrid account from the portal itself, and only when that is configured correctly, it'll make a valid connection.
Wrong permissions on API key
Also make sure your SendGrid API key has the correct permissions to execute the actions you wish.
Not defining policy key
Last but not least, make sure the your policy key with the SendGrid API key is defined in the Identity Experience Framework, near your custom policies.
Related
I am facing an issue with GCP and unmanaged users.
After using the transfer tool to invite someone in the organization, he unfortunately didn't read the email and the invitation timed out.
For some reasons I was not able to resend the invitation so I instead decided to create a new user.
However he keeps getting the following error now:
I checked the logs and I figured he is not using the same login type as other peoples, SAML is me and Google password being the user having the issue.
Can anyone help me on how to enforce using SAML on the authentication?
I am using Azure AD as IdP.
Thanks
This worked for me so I'll leave it here in case anyone struggle with the same issues.
In Azure Portal, select Enterprise Application and look for Google.
Then select Google Cloud/ G Suite connector
In Single sign-on ensure the contoso.com is replaced by your dns and ensure the last part framed in red is accurate to your own requirements.
Finally make sure you've enabled provisioning to have your users actually provisionned from Azure and not created in Google Workspace only.
I have tried following this guide for setting up custom policies: Tutorial: Create user flows and custom policies in Azure Active Directory B2C.
But with the LocalAccounts only sample files. When running the custom policies it fails with a very generic error message.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
What I would really love is either:
A guide for setting up LocalAccount custom policies with SendGrid integration or
A SendGrid integration for the UserFlows (kept simple, supply API key and template ids)
You should enable application insights logging to better understand what's going on: https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights?pivots=b2c-custom-policy
About SendGrid, there is a tutorial for it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy. You can't use SendGrid with USer Flows but only with Custom Policies.
In the pre-requisites of that doc, you can use my IEF Setup Tool, which autoamtes the article. If you select the "Remove facebook" option, you will deploy the Local+Social+MFA starter pack with the LocalAccount journey. This keeps all dependancies available if you change your mind later on.
Then you can test the policy from the Azure Portal:
Create an app registration with https://jwt.ms as the reply url and implict flow enabled.
Test the policy.
Custom email providers doesnt work for User Flows, you require Custom Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy
The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
I have a project, implemented using react js and Azure B2C. For sign-in and password reset, I used azure built-in user policies. What I want is when I add a user with the 'create Zure Ad B2C user' option, I want the user to get an email (An invite). As I know B2C doesn't have this function yet. I found out that this might be solved by a custom policy. But I don't know how. Can anyone help me with this? Thanks in advance.
This type of process would not be handled by the B2C flows. A user creation task cannot be tied to an email being sent out from our service. You would rather follow something like this:
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
You would create the user via portal or Graph API. Then generate a link and send it via a mail provider to the users email containing the link to compete the registration, eg providing their password.
Agree with #Jas.
Have a look here to see something similar for the invite flow.
Note that you should use "id_token_hint" rather than the older "client_assertion".