Azure AD B2C Policy with Identity Providers not working - azure

I have created a policy that internally uses a Identity provider. On clicking run now I see the below error
http://localhost:3000/#error=server_error&error_description=AADB2C%3a+An+exception+has+occurred.%0d%0aCorrelation+ID%3a+84fa6f8d-6aac-4588-9d26-fd987c31ebc0%0d%0aTimestamp%3a+2018-10-13+05%3a26%3a26Z%0d%0a
I am using a Inbuilt policy. the Policy uses a Identity provider that connects to other Azure AD. The reply urls on the AD's application are set same.
What could be the issue here?
Thanks!

The error http://localhost:3000 means you already successful sign in your app, it just redirects to your app reply URL. Because you didn't run localhost:3000, so the return prompts "This site can’t be reached".

Related

Azure AD B2C Configuration URL cannot be reached

I configured a new Azure AD B2C Tenant for testing purposes. I am trying to follow the example to use Azure AD B2C with Android.
https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth
I created beside the B2C Tenant already a User Flow for the login.
During the authentication flow the app wants to read the "well known openid configuration" for my User Flow
https://login.microsoftonline.com/geomobilestage.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_signin
but the URL returns a 404 error. But when I try the following URL to read the configuration I receive http status 200
https://geomobilestage.b2clogin.com/geomobilestage.onmicrosoft.com/B2C_1_login_signin/v2.0/.well-known/openid-configuration
The URLs are public so everyone can try to call them in the browser to see the result.
So the configuration itself exists and seems to be ok. I have already another Azure AD B2C tenant and when I try to call the first URL for this tenant everything is fine. It seems to be that I am missing some configuration in the Azure portal but I really have no idea what I am missing and even where to look.
Regards
Michael
For Azure AD, see here:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
For Azure AD B2C, see here:
https://{domain-name}.b2clogin.com/{domain-name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
The key thing here is to realize that the b2c config endpoint has a reference to a policy in it, otherwise it’s likely AAD.

Okta as IDP in Azure AD

We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
We have referred below links as reference for setup:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
https://developer.okta.com/docs/guides/custom-url-domain/overview/
What we did so far?
Registered company "example.com" in okta. By default okta configures it as "example.okta.com"
Registered custom domain "id.example.com". Our okta instance is accessible using this domain
Created an enterprise SAML app (which also exist in Azure AD) in OKTA
Exported OKTA IDP metadata
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
Error Messages:
For domain as "id.example.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
For domain as "example.okta.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
You need to go through the Azure AD federation compatibility list to learn about how to federate an Azure AD tenant with a 3rd party IDP like Okta and others.
#Kalyan Krishna
Hi,
Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
IDP initiated SSO fails with OKTA as an IDP in Azure

IDP initiated SSO fails with OKTA as an IDP in Azure

We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.

Azure AD authentication fails with error message: "Error validating credentials. AADSTS50012: Authentication failed"

I've been working on a multi-tenant web application that uses Azure AD authentication, and authentication will intermittently fail with the error message: "AADSTS70002: Error validating credentials. AADSTS50012: Authentication failed." To be more clear, the steps I go through are:
Go to my web app, and click on link to go to Azure AD authentication
Enter valid user credentials for Azure
If this is the first time using my web app, Azure asks the user to grant permissions to their Azure AD information
After accepting the permissions, Azure redirects to the reply URL that I've set up in Azure AD for my application, but it replies with the aforementioned error in the URL string
The application itself is a Node.js web app that uses the Passport module for Azure AD authentication, although I don't think Passport is the source of the problem because the error I get is passed by Azure to the web application's reply URL.
I haven't had luck identifying the source, but I have seen posts from people with similar issues. I have a number of AD accounts that I use both personally and for work, and it seems that there is some remnant left in the browser's cache or local storage that causes this issue because I can switch to another browser or into incognito mode and the problem resolves itself.
I'd like to identify if this is a problem with Azure itself, the way my application handles authentication, or with my work/third party applications implement AD authentication.
I am trying to reproduce this issue using the code sample here in Chrome, however failed.
Based on the same issue link you mentioned, I noticed that the endpoint for he/she using was incorrect. To develop the multi-tenant app, we need to change the specific endpoint with common like below:
https://login.microsoftonline.com/common/
Were you using the specific endpoint? If not, would you mind sharing a code sample to help us to reproduce this issue?

Azure AD : AADSTS50003: No signing key is configured

I configured azure AD as an identity provider for my organization's application
as specified in the below blog
Bring your own app with Azure AD Self-Service SAML configuration
I created an application under activity directory and configured single signon (SAML2) for the same as below
SIGN ON URL
https://abc.xxxx.com/myapp/saml/ssoRequest?ticket=kcflmlmnpgg
ISSUER URL
https://abc.xxxx.com
REPLY URL
https://abc.xxxx.com/myapp/ssoResponse
whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message
AADSTS50003: No signing key is configured.
Whenever I try to access my application, it is redirecting me to azure login page. It asks me to login , if I am not already logged in and after login the above error is thrown. If I am already logged in; the error is shown directly
Am I missing something in the configuration
The request was not signed. After sigining the request it started working.

Resources