We're trying to use AWS Cognito user pool as SP and Azure AD B2C as IdP per these instructions. Unfortunately, we haven't had any success yet. The SAML request is failing. The SAML response from Azure B2C has the following status message, indicating the RelayState content from AWS Cognito is too big (> 1000 byte max):
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<samlp:StatusMessage>The SAML RelayState content is greater the 1000 bytes.</samlp:StatusMessage>
<IsPolicySpecificError>false</IsPolicySpecificError>
</samlp:Status>
After decoding the RelayState (2x base64), we see this (some sensitive names changed to abc's):
{"userPoolId":"us-east-1_Vu6ccYQri","providerName":"ABCD-B2C-TEST","clientId":"s1ldupjg52rk4vrrumab75nq0","redirectURI":"abcdefghij://abcdefghij.abc.com/authmain","responseType":"code","providerType":"SAML","scopes":["aws.cognito.signin.user.admin","email","openid","phone","profile"],"state":null,"codeChallenge":null,"codeChallengeMethod":null,"nonce":"DDKMFvrQXZl1ML2Fg9pPTRVamRmx06_nWNSNV5wDsFp6-Nl4OcM2FixoNg5FHoIJ7LlT4tByiSE7-2NqeFhLhx_n7y-m_e6BQnBYFWwYdQr7LUMUj9HJDMLds1rkxP4ttwXPFMv4Yq5gpRnSkoW0jeZ1hkMIvqGZyNo8X82PZkA","serverHostPort":"abcdefghijklmnopqrs.auth.us-east-1.amazoncognito.com","creationTimeSeconds":1583530949,"session":null,"userAttributes":null,"isStateForLinkingSession":false}
We tried to shrink the size with everything we can control, but the smallest we could get is still too big after encoding it. The cryptographic nonce is the biggest part, but we can't control that.
We also tried tweaking the RequestContextMaximumLengthInBytes in the RP file, so far to no avail.
Any suggestions on how to deal with this problem?
This was resolved by increasing the RequestContextMaximumLengthInBytes in the Relying Party (RP) file. Although a value of 2000 still resulted in failure, 4000 was large enough to make the error go away.
<Metadata>
<Item Key="RequestContextMaximumLengthInBytes">4000</Item>
</Metadata>
Related
I am trying to login to the Azure Portal. My Azure AD account is associated with 2 tenants - my regular 0365 tenant and I also have an Azure AD B2C tenant as well. When I access the Azure Portal in Edge, I get shown the following screen:
If I click on Next, I get taken back to the same screen as above. If I click on Skip for now, I get the following error screen:
Any ideas?
If it is SAML Request ,the query string size must have exceeded ,which should not increase over the limit of 4096 bytes.
Try using fiddler trace to check saml query string size and for it to
be not included ,please make sure that the SAML Request is not
signed.The signature element is optional in the request and Azure AD does not support /validate signed authentication requests according
to Signature - | Microsoft
Docs
In Azure AD B2C , to disable the SAML request signature, set the
WantsSignedRequests to false so that the Signature parameters
(query string or post parameter) are omitted from the request.
To remove signature from SAML request in aadb2c
<Metadata>
...
<Item Key="WantsSignedRequests">false</Item>
...
</Metadata>
In other cases such as oauth2 check the query parameter like
state parameter and get it addressed with the particular application
vendor or support team.
Also check AADSTS90015 while doing ADFS - Stack Overflow
I have B2C tenant xxx.onmicrosoft.com and account admin#xxx.onmicrosoft.com.
I have API Connector (Azure Function called B2CRoleAssignment) that gets triggered before including application claims in token (Preview).
When I first attempt to sign into my SPA application with admin#xxx.onmicrosoft.com this is the following payload my API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"email":"admin#xxx.onmicrosoft.com",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
When I close my SPA application and open it again, this is the payload API Connector (Azure Function) receives:
{
"step":"PreTokenIssuance",
"client_id":"XXXXYYYY-XXXX-YYYY-ZZZZ-d6b8da8e942a",
"ui_locales":"en-US",
"objectId":"AAAABBBB-CCCC-DDDD-EEEE-ad37b0ec108e",
"displayName":"admin"
}
How come the email claim is missing? On my Sign up and sign in User Flow I have selected Email Addresses application claim, but that doesn't seem to be working or doing anything at all.
The interesting thing is, this appears to only be a problem with accounts ending with #xxx.onmicrosoft.com.
• The email claim is missing during the sign in and signup user flow when selecting the API connector because the Azure function app is being considered by the Azure AD B2C as an untrusted domain website/application since the session is interrupted by closing and reopening the same due to which the session token might be considered expired/invalid immediately. As a result of which, the ‘email’ claim is omitted.
Thus, because of this, the email claim attribute might be returned null in the ‘application/json’ file as its value in the column might be missing or unknown. Hence, I would suggest you to please use the custom policies for signin or signup instead of default user flows in the Azure AD B2C console. Also, ensure that in the sign in and sign-up custom policy starter pack or the default custom policy in which editing needs to be done, do add the below claims in the custom policy output claims such that you will get the ‘email’ as an attribute in the response decoded token since adding the below claims will allow you to sign in through multiple claim attributes and you might not be getting email claim when using other claim types other than email.
<!-- This was already here -->
<OutputClaim ClaimTypeReferenceId="email" />
<!-- Added claim -->
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress"
PartnerClaimType="email" />
To find the default custom policy starter pack, refer the below link for more details: -
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Also, to know more regarding the above issue and its accepted solution, kindly refer to the below community link: -
Why is email not returned with api connector when SSO with azure b2c?
Our SPA uses Azure B2C and MSAL (React) for user authentication. There are other requirements so we use custom policies instead of predefined user flows. But I struggle to implement Keep Me Signed In (KMSI) feature following these instructions.
I used custom policies from the starter pack: Phone_Email_Base.xml and SignUpOrSignInWithPhoneOrEmail.xml
Added <Item Key="setting.enableRememberMe">True</Item> entry to <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Phone-Email">
Updated relying party policy file with this:
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
Set up MSAL instance in my index.tsx following this. Lib versions: "#azure/msal-browser": "^2.14.2", "#azure/msal-react": "^1.0.0"
Tried to obtain access token:
msalInstance
.acquireTokenSilent(accessTokenRequest)
.then((response) => {
// use response.accessToken here
...
})
.catch((e) => {
console.error(e);
if (e instanceof InteractionRequiredAuthError) {
instance.acquireTokenRedirect(accessTokenRequest);
}
});
The problem is MSAL cannot retrieve access token silently after 24 hours from user logged in (i.e. once refresh token is expired) and requires user to re-login.
To make sure that my application code is Ok, I tried to use predefined user flow (combined B2C_1_SignUpSignIn) with KMSI feature enabled. And in this case, my application is able obtain access token silently after 24 hours. So KMSI works perfectly with user flow, but doesn't with custom policy.
Crawled through docs and examples for days, but still can't find any clues what else needs to be done here. Any help would be appreciated.
When acquireTokenSilent() fails, MSAL will call ssoSilent(). This will launch a hidden iframe to try to get a token using cookie based SSO.
When this fails, a final error will come back. You must catch this error and call acquireTokenRedirect(). Now if your session setup for your technical profiles is setup properly, and a valid session cookie exists, you’ll get SSO.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-reference-sso
If you are actually seeing a prompt for user input, your session setup is not correct for that particular techical profile. This is the real reason why ssoSilent() failed.
Your problem is not KMSI. To prove it, remove KMSI config, sign in to your app, remove the MSAL objects from the LocalStorage, force a token renewal. You’ll reproduce the issue you described, even without KMSI, and just after a few minutes of logging in.
Well, eventually it turned out that this solution actually works. Still not sure why it failed after the first 24 hours after the custom policy was applied. So I was forced to re-login after the first 24 hours but when the other 24 hours passed, my application was able to get a new access token without providing credentials by the user.
Looking for some help with custom policies on Azure B2C tentant. I've followed the steps on this site https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
I'm getting a SAML response but its not valid it seems. I've setup application insights and I see this message in the request "Assertion not signed. Policy requires signed assertions"
My baseframework.xml file has this property set to false. Any other thoughts why I'd be getting this error?
<Item Key="WantsEncryptedAssertions">false</Item>
There is a difference between signing and encryption.
You probably want "WantsSignedAssertions".
I'm testing Azure B2C with Salesforce as IdP, and the login process works fine from Salesforce perspective (Salesforce Identity Provider Event Log show "success" for sing-on attempts), but redirection back to simple testing web application ends up to error page such as
/redirect.html#error=server_error&error_description=AADB2C90037%3a+An+error+occurred+while+processing+the+request.+Please+contact+administrator+of+the+site+you+are+trying+to+access.%0d%0aCorrelation+ID%3a+f0292157-ffad-472d-8119-3cd05518654c%0d%0aTimestamp%3a+2018-02-13+15%3a01%3a54Z%0d%0a
Looking at Application Insights, I see error:
A claim could not be found for lookup claim with id "objectId" defined in
technical profile with id "AAD-UserReadUsingObjectId" policy
"B2C_1A_SignUpOrSignInUsingSalesforce" of tenant "xyz.onmicrosoft.com".
I've followed the tutorial here and double checked lots of things, but not sure it this issue is due to invalid UserJourney or ClaimsProvider/TechnicalProfile. Or is it just that I'm missing respective user in Azure B2C that I have in Salesforce?
I don't at least see 'objectId' incoming in saml:Assertion:
<saml:Assertion xmlns:samlp=\""urn:oasis:names:tc:SAML:2.0:protocol\"" xmlns:xsi=\""http://www.w3.org/2001/XMLSchema-instance\"" ID=\""_b0b0193ce1e861e13ec39f9a991cb3501518533690616\"" Version=\""2.0\"" IssueInstant=\""2018-02-13T14:54:50.616Z\"" xmlns:saml=\""urn:oasis:names:tc:SAML:2.0:assertion\""><saml:Issuer Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"">https://XYZ.my.salesforce.com</saml:Issuer><saml:Subject><saml:NameID Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"">jussi.palo#XYZ.com</saml:NameID><saml:SubjectConfirmation Method=\""urn:oasis:names:tc:SAML:2.0:cm:bearer\""><saml:SubjectConfirmationData NotOnOrAfter=\""2018-02-13T14:59:50.616Z\"" Recipient=\""https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer\"" InResponseTo=\""_50a752dd-244c-4447-9ac9-6338e8bb692e\"" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\""2018-02-13T14:54:20.616Z\"" NotOnOrAfter=\""2018-02-13T14:59:50.616Z\""><saml:AudienceRestriction><saml:Audience>https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\""2018-02-13T14:54:50.616Z\""><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\""userId\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">0050N0000060rpy</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""username\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""email\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""is_portal_user\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
For some reason, the User Journey Player isn't showing anything, so I'm thus far been stuck with Application Insights.
Looks like it was confusion on what Starter Pack policy files should be used with the Salesforce instructions. Turned out using "SocialAndLocalAccounts" policy files as a basis did the trick, so my UserJourney was not right at first.
I will leave the question here for anyone else running into similar error messages.