I configured azure AD as an identity provider for my organization's application
as specified in the below blog
Bring your own app with Azure AD Self-Service SAML configuration
I created an application under activity directory and configured single signon (SAML2) for the same as below
SIGN ON URL
https://abc.xxxx.com/myapp/saml/ssoRequest?ticket=kcflmlmnpgg
ISSUER URL
https://abc.xxxx.com
REPLY URL
https://abc.xxxx.com/myapp/ssoResponse
whenever i try to access the application its redirecting the request to azure login. But I am getting a bad request error and its showing the below message
AADSTS50003: No signing key is configured.
Whenever I try to access my application, it is redirecting me to azure login page. It asks me to login , if I am not already logged in and after login the above error is thrown. If I am already logged in; the error is shown directly
Am I missing something in the configuration
The request was not signed. After sigining the request it started working.
Related
Issue summary:
msal.logout() appears to log the user out, but after "logging out" the user can click "login" and be logged in again without being required to enter their username and password.
This is a serious security issue for user's who login to our application on a public computer, then logout thinking that they have prevented someone from accessing their account.
Frontend is using Angular-msal 1.0.0 (Angular-oauth2-oidc has the same issue, so I think it's not the problem of js library).
Azure AD B2C built in user flow and xml custom policy both have this logout issue when login with federated AAD tenant user.
Any help would be appreciated.
Thanks.
The MSAL library provides a logout method that clears the cache in browser storage and sends a sign-out request to Azure Active Directory (Azure AD). Request will be done against the end_session_endpoint URL obtained from the B2C policy metadata. Keep in mind single sign out is supported only by custom policies and that it's scoped to the same browser, not device.
Just in case you are still facing any issue an idea would be to redirect using &prompt=loginin your auth url will revoke your login request with out user session.
I am following instructions provided by Microsoft to set up Postman for testing an Azure AD B2C secured Wep API:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications#register-a-web-application
Under the section Use Postman to get a token and test the API, I get to Step 4 where the documentation states:
Postman opens a new window containing the Azure AD B2C tenant's
sign-in dialog. Sign in with an existing account (if one was created
testing the policies) or select Sign up now to create a new account.
The Forgot your password? link is used to reset a forgotten password.
This does not happen.
I am using the Implicit Grant Type and my Auth URL appears as follows:
https://<myDomain>.b2clogin.com/<myDomain>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SIGNUP_SIGNIN&client_id=d4d84f32-1e57-4daf-b010-399bb2614e0d&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Scope is set to the following value:
https://<myDomain>.onmicrosoft.com/postman/user_impersonation openid offline_access
When I press the Postman Request Token button, the SignIn / SignUp User Flow (Policy) is interrupted with the following Error dialog stating:
Sorry, but we're having trouble signing you in. We track these errors
automatically, but if the problem persists feel free to contact us. In
the meantime, please try again.
Correlation ID: c1b01e2d-84ce-446e-a9c2-f3a8617eb9f2
Timestamp: 2019-11-21 20:03:31Z
AADB2C90018: The client id 'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d' specified in the request is not registered in tenant '<myDomain>.onmicrosoft.com'.
Taking this client ID is not registered error on face value, the problem would appear related to improper registration of the Application (Client) within Azure AD B2C.
However, I am able to successfully run this SignIn / SignUp User Flow from within Azure AD B2C; and to successfully register new Users using that Policy.
To be clear, my ASP.Net Core Web API is not being run at this stage. I am simply trying to configure Postman to request a New Access Token from Azure AD B2C.
I have tested the document you provided and it works fine for me.
Based on your error message, it seems that you put your client id twice in the Client ID.
AADB2C90018: The client id
'd4d84f32-1e57-4daf-b010-399bb2614e0d,d4d84f32-1e57-4daf-b010-399bb2614e0d'
specified in the request is not registered in tenant
'.onmicrosoft.com'.
Please check it.
I have created a policy that internally uses a Identity provider. On clicking run now I see the below error
http://localhost:3000/#error=server_error&error_description=AADB2C%3a+An+exception+has+occurred.%0d%0aCorrelation+ID%3a+84fa6f8d-6aac-4588-9d26-fd987c31ebc0%0d%0aTimestamp%3a+2018-10-13+05%3a26%3a26Z%0d%0a
I am using a Inbuilt policy. the Policy uses a Identity provider that connects to other Azure AD. The reply urls on the AD's application are set same.
What could be the issue here?
Thanks!
The error http://localhost:3000 means you already successful sign in your app, it just redirects to your app reply URL. Because you didn't run localhost:3000, so the return prompts "This site can’t be reached".
Greets. I am attempting to authenticating users in Azure AD using OpenID auth. All user accounts in Azure AD are sourced from Microsoft Azure Active Directory. Authentication works fine off a test Azure account, however, when authenticating off a particular customer's Azure service, the following error is outputted:
com.microsoft.aad.adal4j.AuthenticationException:
{"error":"invalid_grant","error_description":"AADSTS50034: To sign
into this application the account must be added to the
d0698a91-23ba-4495-abdb-5864793c48dc directory.\r\nTrace ID:
ed060649-da1d-48d3-b198-1e05e2a05f0d\r\nCorrelation ID:
7c2a1d1e-924e-4939-bad5-fe9f3fcac43e\r\nTimestamp: 2015-09-21
11:08:18Z"}
I triple checked all settings and they appear correct. Client ID, Client Secret, Tenant Name, Authorization End Point URL and Authentication Callback URL are all correct. The application is added to the the customer's AD directory server. I'm not entirely sure what Microsoft's means by this error? Any ideas?
Sorry, my mistake. I had the authorization URL hardcoded in the code that retrieved the access Token.
Setup:
My web application has OpenAM + OpenDJ interacting with a federation server in order provide SSO service through SAML2. The list of users who are authorised to access my application are part of the OpenDJ.
How it works-
When the user launches the link for the first time and the application determines that he has not logged in, the user is redirected to the IDP URL to authenticate. The IDP provides the SAML2 response through the Consumer URL exposed. On receiving the SAML2 response my application determines if the user is part of my LDAP and thereby allowed to access and shows up a home page if he has access.
Problem
When the user is not part of my LDAP, I would like to throw up an Access Denied Page, however, I find that OpenAM throws the default IDP initiated login page with a goto parameter to my URL.
I've tried to have success and failure URL configured but it result in the application not being completely accessible. The users are not shown even the IDO login screen.
Is there a property or configuration I need to set to enable OpenAM to show the Access Denied page instead of IDP Login?
I was able to get this working through changes/redirection on the web server. Though I am not sure if there is a place within OpenAM config to solve this.