Develop Reference

ADFS SSO + GitLab

I am looking for the help regarding the linking of ADFS with GitLab. Their documentation mentiones only setup with Google and Okta, but no ADFS which makes me crazy. The AD is running at Windows Server 2019, but, I have no access to it since it runs at other organization. Also, I don't have a test account of whatever, I can't test any changes. I'm keeping guessing for 3 days already. The target is to provide an access to Gitlab hosted at our company for our customer, but, with their AD SSO. We need to provide access from both SSOs, ours and customer's.
I have succesfully implemented SSO login from ours Keycloak using OAuth, it is completely fine.
Then, we sent the next data to the admin of customer, like:
ID: https://git.#####.net/
· ReplyURL / Ressource: https://git.########.net/users/auth/openid_connect/callback
· Protocol: OIDC https://docs.gitlab.com/ee/administration/auth/oidc.html#keycloak
· Applikationstyp: Web App
· Claims / Rules: “openid”, “profile”, “email”
Federation Metadata: Nein
Later, from the admin of customer I received back the link to JWKS Keys, Federation Metadata XML, and link to .well-known configuration and UserID that ADFS generates. But, I tried to setup OAuth using ID and link, and I felt like the secret is missing. I was getting "token expired or invalid, and in logs DiscoveryFailed(NotFound). That's why I decided to try SAML instead.
So, the questions:
is it not possible to have two OAuth at once, right?
is it possible to setup OAuth without of secret?
if it's not possible, how do I setup SAML at GitLab correctly?
Which certificate fingerprint should I use, encryption or signature?
which claims and other things must be set in trust in ADFS?
is target URL right?
what else do I miss?
The current configuration looks like this:
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect', 'saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "##### Login", # optional label for login button, defaults to "Openid Connect"
args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "https://user.###########.at/auth/realms/########",
client_auth_method: "query",
discovery: true,
uid_field: "preferred_username",
client_options: {
identifier: "#######-gitlab",
# secret: "<YOUR CLIENT SECRET>",
redirect_uri: "https://git.########.net/users/auth/openid_connect/callback"
}
}
},
{
name: "saml",
label: "###### Login", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: "https://git.#####.net/users/auth/saml/callback",
idp_cert_fingerprint: "AF:92:5D:AD:DF:4A:7F.....",
idp_sso_target_url: "https://sts.#########.at/adfs/ls",
issuer: "https://git.#####.net/",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
}
]
I have extracted idp_cert_fingerprint from both certificates present at XML files.
I am not sure if claim is right, so, I would appreciate any help regarding configuring of these thing. What should I do to make it run?
Thank you!

Msal.js not authenticating with google - Redirect uri issue

So I recently used the quickstart method from Azure to make a JS app which authenticates using the MSAL.js library. I am able to authenticate using the normal users in AD, however when adding in google as an external identity provider, I get the Authorization error:
"Error 400: redirect_uri_mismatch
The redirect URI in the request, https://login.microsoftonline.com/te/{tenant-id}/oauth2/authresp, does not match the ones authorized for the OAuth client...."
I have checked the URI in my JS app, on Azure and added it in the Google develops console to no avail. I have followed the documentation as per: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-google
I have tried fiddling with everything and don't know what to do to fix it. Keep in mind that when I created the Azure account, it automatically made my tenant name "Default directory" and my Primary domain as "{FirstName}{EmailDomain}#onmicrosoft.com". I since then change my tenant name to "NewTenant" (I will be changing all names for the purpose of this question as I would like to not reveal any actual details where possible).
To conceal my details I'll be making "{FirstName}": "Bob", and "{EmailDomain}": "mydomain"
JS code:
const msalConfig = {
auth: {
clientId: '{ClientId}',
authority: 'https://login.microsoftonline.com/{TenantId}',
domain: 'bobmydomain.onmicrosoft.com',
instance: 'https://bobmydomain.b2clogin.com/tfp',
redirectUri: "http://localhost:3000/"
},
cache: {
cacheLocation: 'sessionStorage',
storeAuthStateInCookie: false
}
};
Azure:
Azure redirect URIs
Google developer console:
Google redirect URIs Bear in mind I fiddled with the HTML so that I could get a nice screenshot. I have also configured the ClientID and ClientSecret for Google auth in the Azure external identity provider portal.
EDIT: http://localhost:3000/ was also added as a redirect URI to the Google dev console but also to no avail
Any help would be appreciated.

How to reroute browser to a custom "User Not In Role" page when MSAL fails acquiring a token in Angular 6

I'm trying to implement Implicit flow using Angular 6/MSAL. The client is trying to get an ID token from Azure AD. Our AD Client is configured to provide tokens only for certain users and groups. So, when an unauthorized user (still a user inside the organization) tries to login, Azure Ad directly reroutes them to the Login Page, which is not very intuitive. I would like to redirect them to a custom page, indicating that the user is not in any of the roles required by the application.
But MSAL has no option for something like "failedRedirectUri". Can someone please tell me if this is even possible with MSAL, if so how do i go about configuring it?
I've tried to set the "redirectUri" from localStorage, and try to modify it before the redirect happens. but that doesn't help.
MsalModule.forRoot({
clientID: '*****-************************',
authority: "https://login.microsoftonline.com/*************************/",
validateAuthority: true,
redirectUri: window.location.origin,
cacheLocation: 'localStorage',
postLogoutRedirectUri: window.location.origin + "/loggedout",
navigateToLoginRequestUrl: false,
popUp: false,
unprotectedResources: ["https://www.microsoft.com/en-us/"],
protectedResourceMap: protectedResourceMap,
logger: loggerCallback,
correlationId: "1000",
level: LogLevel.Info,
piiLoggingEnabled: true
})
On login failure for implicit flow, the user should not be redirect to the "redirectUrl" page. Instead the user should be taken to an error page where the error description is displayed.

passport-azure-ad: Why am I getting "jwt audience is invalid"?

(All IDs in the below example are made up. I've added them to illustrate the format for some of the parameters).
My tenant is at acme.co.uk, but I want the web app that I've got deployed at https://subdomain.acme2.co.uk to delegate authentication of users to Azure AD.
I registered my app as below using the new portal:
(The field names are those used on the azure portal).
App ID URL: https://acme.co.uk/11111111-2222-3333-4444-555555555555
Home page URL: https://subdomain.acme2.co.uk/api/auth/aad
Reply URLs: https://subdomain.acme2.co.uk/api/auth/aad/callback
and created a secret key that doesn't expire with the value: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa='
I've been following the passport-azure-ad github sample using v1 endpoint as a guide.
{
allowHttpForRedirectUrl: false,
clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555',
clientSecret: '111111111111111111/aaaaaaaaaaaaaaaaaaaaaaaa=',
identityMetadata: 'https://login.microsoftonline.com/acme.co.uk/.well-known/openid-configuration',
isB2C: false,
issuer: null,
loggingLevel: 'info',
passReqToCallback: false,
redirectUrl: 'https://subdomain.acme2.co.uk/api/auth/aad/callback',
responseMode: 'form_post',
responseType: 'code id_token',
skipUserProfile: true,
useCookieInsteadOfSession: false,
validateIssuer: true
}
When I got to 'https://subdomain.acme2.co.uk/api/auth/aad' in my browser I get redirected to MS to login, which I then do, but when the redirect back to 'https://subdomain.acme2.co.uk/api/auth/aad/callback' happens, I'm not authenticated.
Inspecting the headers from the callback POST request I see:
In _validateResponse: jwt audience is invalid. expected: https://acme.co.uk/11111111-2222-3333-4444-555555555555,spn:https://acme.co.uk/11111111-2222-3333-4444-555555555555
Any ideas what I've done wrong??? [:-|
(Aside: Debugging this is a pain, as I'm running in docker and the redirects don't seem to work properly, so I have to deploy to a real environment ATM).

Ok found it...
clientID: 'https://acme.co.uk/11111111-2222-3333-4444-555555555555'
was the culprit.
That should be the app Id NOT the app Id URI. Doh. Many thanks to #Alex Blex for the guidance. This was most helpful.

In my instance, I was using .env and getting the clientId from there.
I solved this issue by remove the quotes around clientID in my config and .env file.

nodejs -> OAuth2 Azure AD -> Error AADSTS50001

I want to allow my users to access my WebApp using their Office 365 account in the same way that I already did with Twitter, Facebook and google.
I have already created a WebApp in Azure AD.
I'am using nodejs, passportjs and passport-azure-oauth2 strategy.
In Azure AD, the Web application is Multitenant and the SIGN-ON URL IS "https://nudniq.com"
APP ID URI: "https:\nudniq.com"
Reply URL: "https:\nudniq.comauth\microsoft\callback"
User Assignment required to access app: NO
Note: I'am using back shlashes instead of slashes in the URL's posted here because stackoverflow only allows me to write no more than two links.
The only permision that I ask for is:
Read all users' basic profiles
I'am creating my strategy with this values:
clientID: '<client_id>',
clientSecret: '<client_secret_key>',
callbackURL: 'https://nudniq.com/auth/microsoft/callback'
But I receive the following error:
TokenError: AADSTS50001: Resource identifier is not provided.
Trace ID: 95f88f5a-95b9-4d3a-86fe-19ae0bbfcc76
Correlation ID: b056150c-debd-469d-963b-ea362ca93884
Timestamp: 2016-06-29 01:38:39Z
at AzureOAuth2.OAuth2Strategy.parseErrorResponse (/home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:298:12)
at AzureOAuth2.OAuth2Strategy._createOAuthError (/home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:345:16)
at /home/ec2-user/test2/fastpass/node_modules/passport-oauth2/lib/strategy.js:171:43
at /home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:177:18
at passBackControl (/home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:123:9)
at IncomingMessage.<anonymous> (/home/ec2-user/test2/fastpass/node_modules/oauth/lib/oauth2.js:143:7)
at IncomingMessage.emit (events.js:129:20)
at _stream_readable.js:908:16
at process._tickDomainCallback (node.js:381:11)
Please help me, I dont know what am I doing wrong.

If you are use AzureOAuthStrategy strategy, when you occur this issue, it means you have miss configured the resource parameter.
According the code sample in the repository at GitHub:
this.passport.use("provider", new AzureOAuth2Strategy({
clientID: config.clientID,
clientSecret: config.clientSecret,
callbackURL: config.callbackUri,
resource: config.resource,
tenant: config.tenant,
prompt: 'login',
state: false
}
we need to configure this resource parameter.
As you are Office 365 to authenticate your users, please try to set resource to https://graph.microsoft.com.
Additionally, please regenerate your AAD application's Secret key, and keep it save in your application, do not expose them to public.
Any update, please feel free to let me know.