Setting up a custom policy in Azure AD B2C to connect to a SAML Identity Provider. This requires a SAML metadata endpoint to get the SSO URL and other information.
As per Microsoft documentation the End point link is :
https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I tried this way but I am constantly getting the same error :
Unable to return metadata for the policy 'B2C_1A_TrustFrameworkExtention' in tenant 'Mytenant.onmicrosoft.com'.
Is this error due to some fault in my policies ?
Typo?
The usual name is:
TrustFrameworkExtensions
You have:
TrustFrameworkExtention
Related
I added and configured an OpenID Connect Identity Provider.
I set the return URL in the provider correctly.
I'm using the "Sign up and Sign in" user flow -- not a custom policy.
Running through the user flow, I ultimately get redirected to my application .../MicrosoftIdentity/Account/Error (or if I set return url to jwt.ms, I get the same error) with the page indicating the error
AADB2C90238: The provided token does not contain a valid issuer
How can I even see the issuer in the token? (It's all handled inside AD B2C service).
I can see what's listed in the provider's .../.well-known/openid-configuration endpoint. I guess that's what's not matching in the token. I've seen suggestions of using Application Insights Logs to view the token -- but, apparently, that can only be done with custom policies.
Is there another way to tell AD B2C not to validate the issuer? Or is another way to handle this issue?
I tried to reproduce the same in my environment.
Open Id configuration is like below:
Where the metadata url is https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Authorization request looks like below:
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=xxxxx5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
I received the same error :
With redirect uri: https://jwt.ms
Error: invalid_request
AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
With redirect uri: https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/authresp
So here the redirect Uris are correct and need to correct the metadata url :
Created an OpenId provider with meta data url having tenantId instead of organizations .
https://login.microsoftonline.com/<tenantId>/v2.0/.well-known/openid-configuration
Run the user flow with this Identity provider
Could login successfully and get the access token with endpoint
Note: make sure it has the policy included:
I have p=B2C_1_newSignupSignin
https://kavyasarabojub2c.b2clogin.com/kavyasarabojub2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_newSignupSignin&client_id=1xxxxe2a5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Here the issuer is of V2 endpoint "iss": "https://kavyasarabojub2c.b2clogin.com/<tenantId>/v2.0/"
Reference : Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
Edit:
I configured my local shibboleth IdP to proxy authentication to Azure AD but on redirect and getting an Azure error:
AADSTS7500522: XML element 'RequesterID' in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol' in the SAML message must be a URI.
My service provider that is redirecting to Shibboleth > AzureAD uses an entity ID that is just a name and not a URL which is what shows up in my saml trace back to Azure.
<saml2p:Scoping>
<saml2p:RequesterID>EntityIDShortName</saml2p:RequesterID>
</saml2p:Scoping>
Is there a way to turn off this validation in Azure or transform / not include the requester id from shibboleth to Azure AD?
I used this document to do the configuration:
https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD
Thanks
Nick
FYI, just changing the entity I’d in my test provider addresses this issue.
I have successfully configured an external identity provider using Azure AD B2C Custom policy. The authorize endpoint is passed correct acr_values too. As I launch the authorize endpoint, I am taken to the login screen from identity provider. As soon as I enter my credentials and hit 'Login',I expect the authentication response to be redirected to my B2C /auth/resp URL (https://<>.b2clogin.com/<>.onmicrosoft.com/oauth2/authresp), configured with the identity provider.
However, I end up getting an exception as below -
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: ef54294f-2a9d-4e18-bc03-511bcc713cde
Timestamp: 2022-10-10 04:04:09Z
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 42dc0316-16d5-4f5b-9552-6cc4d2f3e233
Timestamp: 2022-10-10 09:38:51Z
I have also tried verifying the client_id and client_secret being used and that seems to be fine. Moreover, logs on the identity provider side mention that the request was successful.
Awaiting quick responses, as this blocks my application completely.
Application Insights details -
Exception Message:An internal error has occurred., CorrelationID:145303ec-b8e8-4fc1-bd5d-6649bd1fb77f
I tried to reproduce the same in my environment:
This error , AADB2C90289: We encountered an error “” connecting to the identity provider. Please try again later. occurred ,
when I haven’t given the clientSecret of the app correctly in the azure ad b2c.
I kept it to generate.
Later I manually changed the policy keys and gave the application client secret in the key value.
In your external Identity provider technical profile, make sure to -provide the clientId of that particular Identity provider
Ex:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!Below replace clientId with the externalIdentity provider App/ClientId "-->
<Item Key="client_id">XXX0000XXX</Item>
....
we are trying to implement ROPC flow in Azure AD B2C.
I have gone through the B2C Advanced policies and the instructions provided as per below links to configure with B2C Custom Policies and facing some issues.
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/source/aadb2c-ief-ropc
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/B2CROPC/yourtenant.onmicrosoft.com_B2C_1A_ResourceOwnerv2%20SINGLE%20FILE%20-%20Copy.xml
Though we have provided correct username and password, we are getting
{
"error": "access_denied",
"error_description": "AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID:
8c15d7ab-ba5b-4baf-be5a-8bfdb9939164\r\nTimestamp: 2019-01-23
06:18:19Z\r\n" }
I could resolve this problem. In my case, I followed this link:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom
But had the same error message.
In step 4 I had to add values for "client_id" and "resource_id". I used the values that I had in another profile ("login-NonInteractive").
And the flow worked successfully.
Have you registered your ProxyIdentityExperienceFramework application as Native?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
Registering the ProxyIdentityExperienceFramework application as WebApp/WebAPI might result in this error.
Setting up a custom policy in Azure AD B2C to connect to an ADFS Identity Provider. This requires a SAML metadata endpoint as specified in the documentation at the link below.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp#configure-an-adfs-relying-party-trust
The error being encountered is:
AADB2C90022: Unable to return metadata for the policy [my-policy] in tenant [my-tenant].onmicrosoft.com.
and is being encountered when I go to the endpoint:
https://login.microsoftonline.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have tried making the request from the b2clogin.com endpoint with the same result as above.
E.g. https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have also tried using my tenantId GUID in place of [my-tenant].onmicrosoft.com which resulted in the exact same result.
E.g. https://login.microsoftonline.com/te/[my-tenant-id]/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
Re-visit the process by which you created the certificate, uploaded it to your 'Policy Keys' and referenced it in your custom policy files.
My scenario was similar, I had the same error and no output via Application Insights / Journey Recorder.
I had tried to avoid using 'makecert.exe' and instead used another SSC generation tool. This simply did not work, I think because the private key was not being incorporated in the certificate file.
This guide has been invaluable, see also this test facility