Looking for some help with custom policies on Azure B2C tentant. I've followed the steps on this site https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
I'm getting a SAML response but its not valid it seems. I've setup application insights and I see this message in the request "Assertion not signed. Policy requires signed assertions"
My baseframework.xml file has this property set to false. Any other thoughts why I'd be getting this error?
<Item Key="WantsEncryptedAssertions">false</Item>
There is a difference between signing and encryption.
You probably want "WantsSignedAssertions".
Related
I am trying to login to the Azure Portal. My Azure AD account is associated with 2 tenants - my regular 0365 tenant and I also have an Azure AD B2C tenant as well. When I access the Azure Portal in Edge, I get shown the following screen:
If I click on Next, I get taken back to the same screen as above. If I click on Skip for now, I get the following error screen:
Any ideas?
If it is SAML Request ,the query string size must have exceeded ,which should not increase over the limit of 4096 bytes.
Try using fiddler trace to check saml query string size and for it to
be not included ,please make sure that the SAML Request is not
signed.The signature element is optional in the request and Azure AD does not support /validate signed authentication requests according
to Signature - | Microsoft
Docs
In Azure AD B2C , to disable the SAML request signature, set the
WantsSignedRequests to false so that the Signature parameters
(query string or post parameter) are omitted from the request.
To remove signature from SAML request in aadb2c
<Metadata>
...
<Item Key="WantsSignedRequests">false</Item>
...
</Metadata>
In other cases such as oauth2 check the query parameter like
state parameter and get it addressed with the particular application
vendor or support team.
Also check AADSTS90015 while doing ADFS - Stack Overflow
Hi I am trying to validate the users password with onprem-api.
Below is my trusted-framework base policy code.
The famework file will be avilable from the following Github link.
https://github.com/azure-ad-b2c/user-migration/issues/30
I am getting below error while executing the above policy
"Unable to validate the information provided."
Can you please help me what i am missing here.
Thanks,
Shiva
Please check below points:
Unable to validate the information provided
This issue may occur if we put the wrong IDs or values in the extensions policy for the Identity Experience Framework and Proxy Identity Experience Frame work applications or if the extension property itself not registered successfully.
Please check if custom attribute for the B2C or extension attribute is properly registered ,So that that property is used in technical profile to be validated. Define custom attributes in Azure Active Directory B2C | Microsoft Docs
Please make sure the metadata details are all correct.To enable custom attributes in your policy,we need to provide Application ID and Application Object ID before using extension property in the AAD-Common technical profile metadata. modify-your-custom-policy as such.
<Metadata>
<Item Key="ApplicationObjectId"> objectId here</Item>
<Item Key="ClientId"> appId here</Item>
</Metadata>
Also please check if,datatype of custom attribute mentioned is correct and the received claim matches the data type .See b2c-custom-policy-starterpack/issues
References:
c# -"Unable to validate the information provided"DNA integration - Stack Overflow
azure ad B2C force password reset. Unable to validate the information provided · Issue GitHub
I am involved in a project to build a new Azure AD B2C IDP and need to support some legacy Saml2 SPs. These login requests include a RequestedAuthnContext element and require PasswordProtectedTransport, however the Saml response from B2C has an AuthnContextClassRef of unspecified in the assertion and therefore is being rejected by the SP. So far I have been unable to find any information on how to set this from within a custom policy. Is anyone able to confirm whether or not this is actually possible and if so what is involved?
• Yes, you can configure the ‘AuthContext.xml’ or the ‘LoginHandler.xml’ file for the SAML response on the IdP side (Azure AD B2C if it is) with the authentication methods to be responded to the service provider (SP) with SAML 2.0 protocol. The authentication method set in the assertion for ‘RequestedAuthnContext’ should be as the following example SAML request: -
‘ <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-
8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0"
AssertionConsumerServiceIndex="0" >
<saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent"/>
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest> ‘
• Also, the ‘AuthnContextClassref’ of ‘unspecified’ as received by you in the SAML response implies that any authentication method that the service provider chooses can be used for authentication. Thus, the IdP responds with ‘PasswordProtectedtransport’ as the preferred choice of token issuing method and indirectly states that the preferred method authentication is not specified in the SAML request.
Please find the below link for reference on the ‘RequestedAuthnContext’ parameter: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol#requestauthncontext
When trying to upload the SignUp_SignIn policy, in the policy validation process, the following error arose:
Tried to add the following attribute in TrustFrameworkExtensions, but i kept getting the same error.
You need to explicitly allow insecure auth for your rest api technical profile.
Example
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-api-connector?pivots=b2c-custom-policy#add-the-restful-api-technical-profile
Add this item to the metadata section of your rest api technical profile.
<Item Key="AllowInsecureAuthInProduction">true</Item>
Setting up a custom policy in Azure AD B2C to connect to an ADFS Identity Provider. This requires a SAML metadata endpoint as specified in the documentation at the link below.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp#configure-an-adfs-relying-party-trust
The error being encountered is:
AADB2C90022: Unable to return metadata for the policy [my-policy] in tenant [my-tenant].onmicrosoft.com.
and is being encountered when I go to the endpoint:
https://login.microsoftonline.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have tried making the request from the b2clogin.com endpoint with the same result as above.
E.g. https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have also tried using my tenantId GUID in place of [my-tenant].onmicrosoft.com which resulted in the exact same result.
E.g. https://login.microsoftonline.com/te/[my-tenant-id]/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
Re-visit the process by which you created the certificate, uploaded it to your 'Policy Keys' and referenced it in your custom policy files.
My scenario was similar, I had the same error and no output via Application Insights / Journey Recorder.
I had tried to avoid using 'makecert.exe' and instead used another SSC generation tool. This simply did not work, I think because the private key was not being incorporated in the certificate file.
This guide has been invaluable, see also this test facility