IDP initiated SSO fails with OKTA as an IDP in Azure - azure

We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.

i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.

Related

Single Logout Implementation using ITfoxtec Library

We are trying to implement Single Logout functionality in Azure AD B2c using Itfoxtec Saml library.
We have tried multiple configuration options but the SingleLogout method is not working as expected.
We need a reference article or post on how to configure manifest file when using ItFoxtec library.
We have already referred below articles
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
It sounds like you have achieved to do logout in Azure AD B2C initiated from your application implementing the ITfoxtec Identity SAML 2.0 component.
Single logout is the case where someone other than your application initiated logout or you want to do logout in an external IdP. For this to work you need to configure session management correctly in Azure AD B2C, maybe that is the missing part?
Also the single logout endpoint is separate in the refired sample. The endpoint is exposed in the metadata.
Please check the below points :
You can redirect the user to the end_session_endpoint.Try if it logs out completely with GET request to
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{name-of-b2c-login-userflow}/oauth2/v2.0/logout?post_logout_redirect={static-webapp-url}/.auth/logout.
a) The user may still be signed in to other applications that use
Microsoft accounts for authentication. To enable those applications to
sign the user out simultaneously, the Microsoft identity platform
sends an HTTP GET request to the registered LogoutUrl of all the
applications that the user is currently signed in to.See Microsoft
identity platform and OpenID Connect protocol - Microsoft identity
platform | Microsoft Docs
b) If you wish to support single sign-out in your application, you must implement such a LogoutUrl in your application's code. You can set the LogoutUrl from the app registration portal.or edit from the manifest like below.
Also try by giving front channel logout url which has to result in single signout.
Please check if you should call the Logout method like here > sample code. The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application.
Please check if you are using ITfoxtec Identity SAML2 component without a NameID, which may not be able to do logout or single logout. NameID is optional in login but not in logout and single logout.
References:
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
itfoxtec identity saml2 - How to single logout from Azure AD B2C
with ITFoxTech SAML 2 library? - Stack Overflow
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs

Using dynamic identity providers with Azure B2C

I have a requirement to build a web app that connects to a customer's API (authenticated as the user using the web app). This same web app will need to connect to our own internal API which is authenticated with B2C.
The problem is that each customer has their own authentication server (always Okta) and so I couldn't add an IDP for each customer in a custom policy because I'd have to add thousands and continue to add them.
Is there a way to get IDP configuration programmatically so that I can look up the correct Okta instance?
Any other suggestions are welcome.
I had limited chance to set up the above scenario and test in lab.
Add the app in Okta and set the below parameters, instead of adding app in AAD.
Login redirect URI: https://{yourb2ctenantname}.b2clogin.com/{yourb2ctenantname}.onmicrosoft.com/oauth2/authresp
Change the following settings in the B2C Claims provider
Okta OpenId Connect Settings in B2C Policy:
ProviderName: https://{yourOktaTenant}/oauth2/default
METADATA: https://{yourOktaTenant}/oauth2/default/.well-known/openid-configuration
Reference Link: Use below link for custom policies in B2C:
https://github.com/mleziva/azure-b2c-okta-custom-policy

Access Azure Active Directory SSO from an App outside the tenant

I have SAML SSO setup made for an Active Directory. I have another tenant which contains an app service, a webapp, which tries to authenticate using the SAML connection details.
I'm getting:
AADSTS700016: Application with identifier was not found in the directory . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Isn't it possible to authenticate with users from an AD for multiple applications from different tenants using SAML SSO?
External users won't be able to log in to the Single Tenant application. These users would need to be existing in the same Tenant.
Make your app as a Multi-tenent as per rbrayb.
Multiple application that has its own account system, or supports other kinds of sign-ins from other cloud providers, adding Azure AD sign-in from any tenant is simple. Just register your app, add sign-in code via OAuth2, OpenID Connect, or SAML, and put a "Sign in with Microsoft" button in your application.
Based on the error,
Try Solution 1:
Make use of Application Client ID, instead of using any other client ID.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Q: Azure AD B2C: SAML IDP initiated to OpenIdConnect, is it possible?

Trying to setup a custom policy in my Azure AD B2C tenant, I need to communicate to an external IDP using SAML IDP initiated, so client can navigate to their dashboard and click to "my app" that goes against my B2C tenant, and authenticates the user and gets send to my application using OpenIdConnect, it is required to me to get it integrated using SAML between my client's dahsboard and my B2C tenant
I used this article as based to create my custom policy using SAML. As SP initiated (through my app in azure ad b2c) works, but now I need to get it working using IDP initiated.
Also found this idp-initiated sample, but here I got 2 problems:
This is setting up "my app" as SAML application (protocol in my RelyingParty, not what I want)
If I change that one to use "OpenIdConnect" which is desired in my RelyingParty I get the following error in my logs:
Policy '< myPolicyName >' in tenant '< myTenant >' does not have a
supported relying party protocol"
So wondering in this point, is this something that's supported? I also got this unsupported-saml-modalities from the documentation and the last bullet point says:
Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.
So, not really sure if what I'm trying to accomplish is something valid, any help?
It’s not possible, an Idp initiated flow cannot respond to an OIDC relying party, only a SAML relying party.
Secondly, as the doc states, the IdP must be B2C, and will not work for an external IdP federated to B2C.

Okta as IDP in Azure AD

We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
We have referred below links as reference for setup:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
https://developer.okta.com/docs/guides/custom-url-domain/overview/
What we did so far?
Registered company "example.com" in okta. By default okta configures it as "example.okta.com"
Registered custom domain "id.example.com". Our okta instance is accessible using this domain
Created an enterprise SAML app (which also exist in Azure AD) in OKTA
Exported OKTA IDP metadata
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
Error Messages:
For domain as "id.example.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
For domain as "example.okta.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
You need to go through the Azure AD federation compatibility list to learn about how to federate an Azure AD tenant with a 3rd party IDP like Okta and others.
#Kalyan Krishna
Hi,
Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
IDP initiated SSO fails with OKTA as an IDP in Azure

Resources