I have implemented WSFed authentication mixed up with Cookie based authentication.
I want to set cookie expiration time to the SAML token timeout.
Is there any Azure AD API (REST or Configuration) I can use to access SAML token timeout? One way is to read it from configuration but looking out for more generic solution.
Thanks in advance for your help
AFAIK, there is no such Azure AD API we can read the lifetime for the token issued from Azure AD. Not sure which configuration you mean, normally the issue will declare the lifetime in the token-self.
For example, for the lifetime of SAML token, we can read the saml:Conditions element like below:
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
More about SAML, you can refer link below:
Single Sign-On SAML protocol
Related
I have a requirement to provide API to our consumers. The intention is to secure the API using AzureAD B2C - Client Credential Grant flow.
I have created a custom policy on B2C tenant that provides the access token. Things work fine with the clientId and Secret authentication method.
I now want to secure the OAuth2 conversation further by allowing the client to use the signed client_assertion as opposed to static client secret using their protected key. I have uploaded the public portion of the key into the relevant app registration.
Unfortunately, consuming the /token endpoint with the signed client_assertion results in an error.
REQUEST
https://tenant.b2clogin.com/tenant.onmicrosoft.com/b2c_1a_demo_clientcredentialsflow/oauth2/v2.0/token
grant_type=client_credentials&scope=https%3A%2F%2Fapi%2F.default&client_id=d5339984-e6c7-457a-9ef9-21fb6e3e6c59&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJo
RESPONSE
HTTP/1.1 400 Bad Request
{"error":"invalid_request","error_description":"AADB2C99027: Policy 'B2C_1A_Demo_ClientCredentialsFlow' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType.\r\nCorrelation ID: 5eb76fa5-c919-4877-a722-0d38408e18c6\r\nTimestamp: 2023-01-19 07:38:25Z\r\n"}
Can someone please tell me if B2C is intended to support client assertions? Metadata JSON on the policy returns only the following two authentication methods:
"token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ]
Is it possible to include private_key_jwt as a supported authentication method using custom policy configuration? Is it possible to configure the AuthorizationTechnicalProfile for the policy with a corresponding ClientAssertionType?
I hope that I have explained the problem well enough.
I have tried various strategies, incluling the use of AAD token endpoint, login.microsoftonline.com with the B2C tenant Id. Using that endpoint, the custom policy on B2C is completely ignored, therefore generating a vanilla token with none of my curated claims.
TLDR: As of June 2022, Azure AD B2C does not support client assertions.
This issue on Github asks for documentation for error number AADB2C99027. In the course of the discussion, a member of the team states
Unfortunately, we decommissioned client_assertion flow because it didn't follow OIDC spec – So we shouldn't be documenting the error.
From that, I take that there are no plans to support client_assertion flow.
Can we revoke saml token in azure aad .i got to see revoking refresh tokens documentations but i never saw any document for revoking saml token.is there any possibility to revoke saml token from azure AAD ?
There is no mechanism for revocation in Azure (or most SAML implementations). Each SAML token has a configurable lifetime defined by NotBefore and NotOnOrAfter. The default in AAD is a one-hour lifetime.
Azure also supports Single Sign-out.
These are the only mechanisms built into Azure. You could might be able to get better controls with some of the APIs, but this is what you get out of the box.
when I try to use SamlAssertion in order to get OAuth2 token which I could use for Graph API Calls (following this link: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion) I got following issue:
any idea what this is and how to fix it?
Thanks,
Mirko
The OAuth 2.0 SAML bearer assertion flow allows you to request an OAuth access token using a SAML assertion when a client needs to use an existing trust relationship.
A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider.
Seems you are using wrong token endpoint it should be like this:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Reference: Microsoft identity platform & SAML bearer assertion flow | Microsoft Docs
If above one is still not working. You can try the below suggestion as well.
You cannot use this SAML response. After SSO you can use Auth Code Grant to retrieve access token.The key is session cookie. When you are logging user with SAML you generate a session cookie. After that when Graph API invokes an OAuth flow you use the session cookie to authenticate. Actually, you need 2 apps in https://portal.azure.com/.
One enterprise app for SSO and one in App registrations for OAuth (Auth Code Grant).
Reference: AADSTS50107: Requested federation realm object 'https://sts.windows.net/xxxxxxxxxxxxxx' does not exist error is coming while calling the token api with assertion token · Issue #40210 · MicrosoftDocs/azure-docs · GitHub
I am retrieving an Azure AD access token using MSAL.js at the client and passing it as Authorization header to web api hosted in WCF API Management. But I get an error along with all the proper response as well my username and email
Cannot validate access token. IDX10501: Signature validation failed.
Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
The API is a WCF service configured with a custom policy binding for OAuth with the metadataEndpoint or even the v2 version https://login.microsoftonline.com/{tenantid}/.well-known/openid-configuration .
I guess the Azure AD Access token that I have is not meant for validating authentication again.
My guess I might be either missing permissions on the App registration but I couldn't find an API permission for exact authentication/authorization.
I believe with new Azure AD , we cannot authenticate the earlier manner by just passing a token and need to use MSAL standard libraries.
Could someone shed some more light on this.
I used an ID Token and then it worked. You get 2 tokens when authenticated so the ID token seems to work.
I got the workaround to work to add claims to the token using a custom REST API, however I realized this is the Id token and not the Access token. I need the custom claims to be the Access token to use for authorization in the service.
I haven't inspected the Access token yet but are these claims also inserted into the Access token?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw
Yes, custom claims come back when requesting access tokens. The only difference in the list of claims is the scp claim. The scp claim is only returned on access tokens.
Unfortunately, the Claims in ID and access tokens documentation doesn't discuss this.
You can quickly verify this via the Run Now feature in the Azure Portal. See this SO answer.
Sample access token w/ a custom claim
I am using custom claims in my Azure Active Directory B2C tenant where I registered two applications (UI and API). The UI passes the access_token to the API and I am able to retrieve the custom claims there. I guess this should be also true for custom claims using a custom REST API.
If not, It must be possible to setup:
... The return claims can be stored in the user's Azure AD account,
evaluated in the next Orchestration Steps, or included in the access
token
If your question is "Can I get the user's access token from the federating IdP such as Azure AD, facebook etc"? The answer currently is no. You can vote for this feature here.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334347-return-social-idp-s-native-access-tokens-back-to-t