We have written a custom claims provider for ADFS. It's all working fine: you enter your username and credentials in our login page, and it authenticates you to ADFS. There's just one annoying omission: if you come from Office 365 portal and enter your email address, you get redirected to ADFS, then to our login page... but without the email address. You have to re-enter it before you can login.
I can't see anyway to request that ADFS forwards the email address as part of the SAML request, or to check if there is already an email address associated with the SAML request.
Regards
Robin Withey
I think you need to look into the UID and Mail attributes of the SAML response...
<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">test#example.com</saml:AttributeValue>
</saml:Attribute>
Related
I configured a custom b2c policy for the sign-up/sign-in flow that uses SAML for token exchange.
I would like to understand how to control the token lifetime (SAML) and session duration.
The session duration should be 4 hours, to prevent the user from continuing to re-enter credentials I would like to be able to configure an idle timeout so that the session is disconnected if there is no interaction.
Also I would like if the user closes the browser without logging out, when reopened it will prompt for credentials
Is all of this possible? At the moment I'm not using offline_access scope on app registration.
offline_access scope app registration not enabled
At the moment I have only tried putting this in my RP file:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInMFAOption" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Application" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
PFB answers to your ask as follows:
Control the token lifetime (SAML) and session duration
To define a session duration for SAML you could use "TokenLifeTimeInSeconds" in Saml2AssertionIssuer technical profile metadata.
As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-issuer-technical-profile#metadata TokenLifeTimeInSeconds specifies the life of the SAML Assertion. This value is in seconds from the NotBefore value referenced above. The default value is 300 seconds (5 Min).
I would like if the user closed the browser without logging out, when reopened it will prompt for credentials
This could be achieved for local accounts only by removing /excluding Keep me signed in (KMSI) claim, when you enable the feature, users can opt to stay signed in, so the session remains active after they close the browser. The reference sample could be found https://github.com/azure-ad-b2c/unit-tests/blob/main/session/Session_KeepAliveInDays.xml
Also, the SAML IDP metadata should have ForceAuthN set to true
Passes the ForceAuthN value in the SAML authentication request to determine if the external SAML IDP will be forced to prompt the user for authentication. By default, Azure AD B2C sets the ForceAuthN value to false on initial login. If the session is then reset (for example by using the prompt=login in OIDC) then the ForceAuthN value will be set to true. Setting the metadata item as shown below will force the value for all requests to the external IDP. Possible values: true or false. Ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-identity-provider-technical-profile#metadata
Please do let me know if you have any further queries for me in the comments section.
Thanks
I have working SAML 2.0 in my dev account https://espatialzdenek-dev.onelogin.com
I am able to login through onelogin.
Only problem I have is that I can't change / I don't know how to change attribute names in the login request from IDP to SP.
in the assertion saml response I get in section
<saml:AttributeStatement>
for example this element
<saml:AttributeStatement>
<saml:Attribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">z2</saml:AttributeValue>
</saml:Attribute>
but I need there
<saml:AttributeStatement>
<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">z2</saml:AttributeValue>
</saml:Attribute>
I need make this change at least for first name , last name and user assigned security groups.
Is there way to do this in oneLogin SAML IDP setup?
Add App -> SAML Test.....
That will give you a custom application with all options available to you. Create custom claims to your hearts content.
I'm trying to force a re-authentication using SAML and Onelogin as the IDP, and the onelogin java lib for the SP.
For certain functions I would like to trigger a re-authentication, before the user can proceed.
First time user logs in to my application he must enter his credentials. After that he is logged in. But when I try to send an AuthnRequest, the user is immediately redirected back to my application without having to enter his credentials again.
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_xxx" Version="2.0" IssueInstant="2019-11-07T12:31:09Z" ForceAuthn="true" Destination="https://myapp.onelogin.com/client/apps/select/xxx" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://local.my.app:8443">
<saml:Issuer>local.my.app</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
How can I force the user to re-enter his credentials again?
Try including ForceAuthn="true" in the SAML request.
I’m currently trying to follow the guide here to setup our AADB2C IDProvider as a RP to Salesforce using Saml2.
Although the initial few steps are ok…
The new salesforce button is displayed in the login page.
When pressed leads me to the salesforce login page
I can login into salesforce.
The issue occurs when I am redirected back to AADB2C:
https://login.microsoftonline.com/te/{tenantname}.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/as
results in a 404 File or resource not found.
Do you know if this is the correct url to redirect back to AADB2C?
I’ve tried to use App Insights analytics (trace) but cannot find any issue in there (I believe because the issue is not logged as the resource not found)
On the bigger picture, my base custom policy is setup for openid, but this salesforce policy is setup to follow a user journey that consumes saml2 … how does that work for it to be able to understand both protocols?
If I change setup on the RP policy from openid to saml2
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
I can then access to saml metadata on that policy, but I lose capability of testing it up using Azure dashboard. Is there a way I can test it then?
Any help will be appreciated.
Yes, you need to set up the certificate in aadb2c. Also, you need to ensure that the Reply URL and Redirect URIs are matching, and the App ID matches the Client ID.
When I am login with user's credential, first time no error while login to application,
but when I logoff and again login with other user's credential got an error
The provided anti-forgery token was meant for user "UserName", but the current user is "".
I am implementing AntiForgoryToken and IPrincipal with asp.net mvc 5
I tried :
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true; in Application_Start()
I already refered this link When attempt logoff, The provided anti-forgery token was meant for user "XXXX", but the current user is ""
How can I fix this error ?
Thanks in advance.
I found my IIS instance had both Anonymous and Windows authentication enabled which was causing this exception for my application
Authentication Settings both enabled
This setting seems to be the cause of this exception. It seems that the ValidateAntiForgeryToken action filter was using the current user populated with an empty string in the Anon authentication and then attempting to match it against the token which was populated using Win authentication.
By turning off either Windows or Anonymous authentication (for my application I switched off Anon authentication,) the tokens now match up.
Authentication Settings one enabled
This setting can be altered in IIS manager or in the web.config file like so
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
You don't really need to check for the antiforgery token on the post method of your login.
Antiforgery tokens provide protection from CSRF attacks. A CSRF attack happens when a malicious script/link posts an HTTP request on your behalf without your knowledge or consent. When an antiforgery token is embedded on your page, the server can check for this token when it receives the request to verify that the request indeed came from the page. A request from a malicious script or link will not have the token and will fail.
So, all other post actions that you want to protect should be decorated them with the [Authorize] and [ValidateAntiForgeryToken] attributes. The login post method, however, doesn't need either of these attributes.
Update: It is really needed. See answer in Stephen Muecke's comment.