I'm stuck trying some basic stuff.
I want to secure Azure functions with an Azure B2C login.
However I followed 7 (or more) tutorials and step by step guides but none of that are working
like https://codemilltech.com/adding-azure-ad-b2c-authentication-to-azure-functions/
My problem is as soon as the azure function is protected and I want to call it in the browser, the login appears just like expected. But after the login the azure function does not seem to be called. Instead a "You do not have permission to view this directory or page." with no further information is displayed.
Additional Info:
*) All tutorials I looked at seemed kind of outdated because the UI in Azure looks slightly different for me than in the images provided but notthing serious.
*) The Userflow is v2 (I also tried v1 without effect)
I finally found the solution.
No tutorial I looked into mentioned that you have to add the ApplicationId of the application that is used to get the token into the "Allowed token audiences" section in the advanced AD configuration.
After that the Error is gone an you can access the service like expected.
Configuration Window
Related
I have been following the Microsoft tutorial/guide for setting up SSO between two Azure bots which is found here: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso?view=azure-bot-service-4.0&tabs=csharp%2Ceml. I am doing all of the bot testing in the latest version of the Bot Framework Emulator with ngrok.
I have managed to get this working correctly via Azure AD (AAD), however as part of a proof-of-concept, I want to get this working via Azure B2C. Unfortunately, there doesn't seem to be much documentation around about how to set something like this up with B2C, and so far I have not been able to get it working. I have left everything set up the same as was asked in that tutorial/demo where possible (see section below for highlighted differences).
Currently, I am able to log into each bot individually via the above tutorial/demo, but when the SSO is attempted into the skill (child) bot, (via watching the traffic in Fiddler) I see that an error of "consent required" is returned. This tells me there must be some sort of relationship/configuration breakdown between the two bots which is preventing the SSO from succeeded. As mentioned, once this fails, I then get the option in the demo to manually log into the skill bot, which does succeed.
The main differences in terms of configuration capability in AAD vs B2C seem to be:
When configuring the Azure AD app registration for the skill (child) bot, you do not have the capability to set an Authorized client application. Also on this screen, you do not have the option to set the consent for both Admins and users, therefore the consent is set to Admins only
When setting up the API permissions, the delegated permissions available for the Microsoft Graph API are much more limited (only offering openid and profile whereas in the tutorial above more permissions has been asked for)
Thus far I have tried the following to get it to work:
In the app registration for the skill bot, in the API permissions section, I added an API which points to the app registration for my main (root) bot
Manually modified the Manifest for both app registrations changing oauth2Permissions.type from Admin to User to try and relax the scope added in the Expose an API screen (as changing this does change the 'who can consent' column from 'Admins Only' to 'Admins and Users'
Different tenant combinations for the app registration (note that both app registrations are current set up as multi-tenant)
Other things of note:
For the OAuth connection strings, these are set up the same way as the tutorial/demo above, including the Token Exchange URL just pointing to the skill bot scope
I am working under the assumption here that if Azure AD works, then B2C should equally be able to work without any code changes to the demo project, except for different values in the appsettings.json files for each of the two bots.
I am also assuming that B2C SSO in this way is actually a supported feature - there doesn't seem to be a definitive answer either way.
Can someone please provide some suggestions for why this may not be working and what may be required in order to get it working? If I haven't provided sufficient information in any area, let me know and I would be more than happy to provide it.
Many thanks!
The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>
We added Windows Azure AD authentication SAML into our ASP.NET application for a few years now. Our Azure AD has the application registrations, our web.config has been configured, etc. The setup is a bit old but it has been working for a few years now.
THE PROBLEM
However, just recently whenever we are redirected to the login page on Microsoft, we get the error 'There was an issue looking up your account. Tap Next to try again.'
WHAT I'VE TRIED
I can't find any further information on this error [trying to enable diagnostics (in the little bottom-right popup with the correlation ID, trace ID) tell me 'something went wrong'].
I thought maybe it had do to with the passwords, but I've verified the credential use is working (directly logging into portal.azure.com is fine). And the error happens for ALL credentials.
I do know that Microsoft Azure recently changed the AD app registrations, but I've tried re-creating a new registration, and I still get the same error.
Lastly, oddly enough, our applications that are using OAuth 2.0 work.
Anyone have any idea?
It seems the domain for the WS-Fed Endpoint has changed from sts.windows.net to login.microsoftonline.com . Changing the address in our web.config finally got this resolved.
I'm trying to get an AspNet Core 2.1 website to authenticate via Azure AD B2C. I've configured the Google and Microsoft Account signups in my tenant per the online instructions I found (e.g., this for Google).
But neither signup/signin option works. Links to them display on the default Azure AD B2C login page, but clicking the links triggers an error:
for Google, it causes a redirect_uri_mismatch error
for Microsoft Account, it returns a "we're experiencing technical
difficulties" error page, which has persisted for more than 24 hours,
so I doubt there's been any kind of outage
This is all occurring in a development environment, so I'm not using a publicly-registered domain (e.g., the reply uris all point back to localhost). Is that possibly the problem? If so, how do I set up the development environment correctly?
Additional Info
I solved the problem with the google identity provider.
But I'm still getting the same error with the Microsoft Account provider. However, I just noticed that there's an error message buried within the URL for the error page which doesn't get displayed on the page itself:
error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.
The first suggestion in the error message -- targeting login.live.com -- doesn't work. The Microsoft Application Portal complains about a domain mismatch.
But I don't see how to apply the second suggestion, because I don't know where the redirect_uri is generated by/stored in my web app (i.e., I defined the redirect uri in the Microsoft Application Portal, but I don't see a corresponding configuration parameter in my webapp).
Ensure that you are registering the same base reply urls in your social providers, that your application is calling from B2C.
For example:
You if your app calls https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize then the reply url in your social provider should be https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp
However, some app examples call https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/v2.0/authorize (notice the "te") so you therefore need to add a reply URL of https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/oauth2/authresp
I generally add both.
Are you able to sign-up with the local email account at first?, if not this link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app
would be helpful which has a sample web app and the steps, once you are able to sing-up and authenticate , you can add identity providers as Google, Microsoft, Facebook etc., and then you can edit the sign-up or sign-in policies and add the identity providers of Google, Microsoft etc.,
I hope this helps, cheers!! please let me know if you face any issues
Suraj Revankar
Turns out the documentation I was following for setting up the MicrosoftAccount identity app was incorrect, or I was following the wrong instructions.
Basically, you need to redirect to
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
not
https://localhost:[port#]/signin-oidc
like the documentation I was originally following suggested.
Check out this question and answer for more details.
I've been working on a multi-tenant web application that uses Azure AD authentication, and authentication will intermittently fail with the error message: "AADSTS70002: Error validating credentials. AADSTS50012: Authentication failed." To be more clear, the steps I go through are:
Go to my web app, and click on link to go to Azure AD authentication
Enter valid user credentials for Azure
If this is the first time using my web app, Azure asks the user to grant permissions to their Azure AD information
After accepting the permissions, Azure redirects to the reply URL that I've set up in Azure AD for my application, but it replies with the aforementioned error in the URL string
The application itself is a Node.js web app that uses the Passport module for Azure AD authentication, although I don't think Passport is the source of the problem because the error I get is passed by Azure to the web application's reply URL.
I haven't had luck identifying the source, but I have seen posts from people with similar issues. I have a number of AD accounts that I use both personally and for work, and it seems that there is some remnant left in the browser's cache or local storage that causes this issue because I can switch to another browser or into incognito mode and the problem resolves itself.
I'd like to identify if this is a problem with Azure itself, the way my application handles authentication, or with my work/third party applications implement AD authentication.
I am trying to reproduce this issue using the code sample here in Chrome, however failed.
Based on the same issue link you mentioned, I noticed that the endpoint for he/she using was incorrect. To develop the multi-tenant app, we need to change the specific endpoint with common like below:
https://login.microsoftonline.com/common/
Were you using the specific endpoint? If not, would you mind sharing a code sample to help us to reproduce this issue?