I am trying to run this MSDN sample, and it works against a Office 365 site.
However, when I run it against the SharePoint 2013 cloud implementation in my office, I get an authentication failed error, which is actually an error with the message:
<S:Body xmlns:S="http://www.w3.org/2003/05/soap-envelope">
- <S:Fault>
- <S:Code>
<S:Value>S:Sender</S:Value>
- <S:Subcode>
<S:Value>wst:FailedAuthentication</S:Value>
</S:Subcode>
</S:Code>
- <S:Reason>
<S:Text xml:lang="en-US">Authentication Failure</S:Text>
</S:Reason>
- <S:Detail>
- <psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
<psf:value>0x80048821</psf:value>
- <psf:internalerror>
<psf:code>0x80047860</psf:code>
<psf:text>Direct login to WLID is not allowed for this federated namespace</psf:text>
</psf:internalerror>
</psf:error>
</S:Detail>
</S:Fault>
</S:Body>
Any idea if there is some setting done by the IT department blocking me, or is there some change I need to make in my app?
Thank you!
This is an old implementation, make sure your re-connect the app to o365 and refresh all tokens to get the latest keys in the configuration file in the win8 app. also, make sure to register the app in o365 AD tenant.
Hope this helps.
Related
I have already implemented this: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native sample into an external app, but i got errors while login with an openid identity provider.
To reproduce this problem I checked out the latest master of the sample, tried to reproduce this error within the solution and it also occurs there.
I just changed the B2CConstants file values and everything is working for local accounts.
In my Azure B2C I have created 2 identity providers for different AD's in my signin/signup policy.
For Android and iOS everything works fine as expected, also the login with the identity provider.
If I log in with the UWP App via the identity provider i get the following error:
"We can't connect to the service you need right now. Check your network connection or try this again later."
This message shows up in the external Popup Window after Login (normally it should redirect back to the App without error)
In my external app, sometimes its possible to login via the identity provider if I first login with local account ⇒ logout and login again with identity provider credentials. But its not really a workaround because the error comes again on the next login.
I configured the identity provider with following documentation:
https://learn.microsoft.com/de-de/azure/active-directory-b2c/tutorial-add-identity-providers
I tried following things:
add Capabilities:
<Capabilities>
<Capability Name="internetClient" />
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="privateNetworkClientServer"/>
<uap:Capability Name="sharedUserCertificates"/>
<uap:Capability Name="userAccountInformation"/>
<Capability Name="internetClientServer"/>
</Capabilities>
found it here:
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/137
And tried also setting the registry and redirect url which is created from the app during execution:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/UWP-specifics#properties-of-platformparameter-specific-to-winrt-and-uwp-corporate-network
some additional information, I developed the identity provider login with a signIn/signUp (default) policy, that was working at the beginning, the error occurs only sometimes.
After I changed to a only signin (default) policy, the error occurs nearly every time (only works with the workaround which i described already).
Im not quite sure what im missing or doing wrong, hope someone can help me.
Thank you!
First I prepared the repo as described in the contributing guide by cloning it, restoring and building it.
When running yarn start the app starts on localhost. I sign in using a Microsoft account (no work or school account) and eventually I am presented with HTTP 431 (Request Header Fields Too Large).
There is a header Cookie which is 8563 characters long and appears to be an aggregation of several JWTs. It goes like this:
msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.client.info=eyJ1aWQiOiIwMDAwMDAwMC0wMDAw...; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.login.request|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=http://localhost:3000/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.authority|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=https://login.microsoftonline.com/common/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.nonce.idtoken|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=950c6017-41e9-4244-a874-02e7d8d40f47; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.state.acquireToken|c8591ba7-8643-4dd0-a86c-38240fd5c6e9=eyJpZCI6ImM4NTkx...;msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.login.request|965aad0f-7740-44db-8be3-8a21d26c4f2d=http://localhost:3000/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.authority|965aad0f-7740-44db-8be3-8a21d26c4f2d=https://login.microsoftonline.com/common/; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.nonce.idtoken|965aad0f-7740-44db-8be3-8a21d26c4f2d=5b3e211d-6756-4892-b50d-17cdebbd18b3; msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.state.acquireToken|965aad0f-7740-44db-8be3-8a21d26c4f2d=eyJpZCI6Ijk2NWFhZDBm
This goes on for quite some time and somewhere in between there is this:
msal.a974dfa0-9f57-49b9-95db-90f04ce2111a.error.description=Silent authentication was denied. The user must first sign in and if needed grant the client application access to the scope 'user.read people.read user.readbasic.all contacts.read calendars.read presence.read.all tasks.readwrite presence.read user.read.all group.read.all tasks.read openid profile'.;
Of course I have accepted all those permission requests, even revoked them once and regranted to start over clean.
What am I not getting?
I use Win 10, node 12.19.0 and VS Code 1.51.1. and access the provided app (Amazing Microsoft Graph Toolkit App - client ID a974dfa0-9f57-49b9-95db-90f04ce2111a) which is the default in the index.html file.
Thanks for any hints.
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
I am trying to have our Google Apps users to sign in Office 365 with the Google credentials.
I am struggling with 2 things.
1. setup a federated domain with Azure AD. Can anyone match the required variables from the Google iDP Meta data below?
Below are the variables of Microsoft to set a federated domain from their help pages.
$dom = "contoso.com"
$BrandName - "Sample SAML 2.0 IDP"
$LogOnUrl = "https://WS2012R2-0.contoso.com/passiveLogon"
$LogOffUrl = "https://WS2012R2-0.contoso.com/passiveLogOff"
$ecpUrl = "https://WS2012R2-0.contoso.com/PAOS"
$MyURI = "urn:uri:MySamlp2IDP"
$MySigningCert = #" MIIC7jCCAdag......NsLlnPQcX3dDg9A==" "#
$uri = "http://WS2012R2-0.contoso.com/adfs/services/trust"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication ` -DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $MyURI -ActiveLogOnUri $ecpUrl -SigningCertificate $MySigningCert -IssuerUri $uri -LogOffUri $url -PreferredAuthenticationProtocol $Protocol
This is the Google iDP metadata where it suppose to have all the info
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C01gs" validUntil="2021-08-31T11:57:42.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdDCCAlygAwIBAgI
MTE1NzQyWhcNMjEwODM.....yVlPqeevZ6Ij
f7LcIuZHffg1JV6pOB3A7afVp7JBbzZZOeuhl5nUhr96</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=C02gs"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C03gs"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
2. After a successful federated domain (I succeeded, but it didn't work, so the variables I provided powershell was wrong). The admin portal for Office 365 does NOT allow one to add users from a federated domain. So, how to add users?
Hope someone can help me with this puzzle.
Google now provides documentation on setting up SSO with Office 365.
Corresponding documentation on adding Google as an IdP from Microsoft is also available; however, I found no use there and kept getting failed sign-ins after following Microsoft's instructions (SSO didn't work).
Instead, I followed instructions from James Winegar which contains PowerShell commands (runnable in the Cloud Shell provided in Microsoft's admin portal, or locally) that let me get federation up and running in an hour or so, including time for user sync to start from Google's end.
This support from Microsoft seems relatively new—obviously it's less than 4 years old, based on the age of this question. But at least it now exists. By the time anyone reads this answer, there might be better tutorials available.
Microsoft Azure AD (the identity system behind Office 365) only support federation with a handful of Identity Federation Providers:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-federation-compatibility/
Google Apps is not in this list and is not a supported federation system. You cannot use Google Apps users to sign-in to Office 365 with their Google Apps Credentials.
What you can do however, is to allow your Office 365 users to single-sign-on to their Google Apps (which is the other way around):
https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-google-apps-tutorial/
EDIT
After the provided link, it seems that is possible to use Google Work Apps Ids for SSO with Office 365, but with the intermediate player Windows Server Active Directory and ADFS. Which quite an overhead.
I am relatively new to sharepoint app development.
Trying to create a on premises, High Trust provider hosted app with App + User Policy. I have followed below document to create a demo.
https://msdn.microsoft.com/library/office/fp179901(v=office.15)
http://blogs.msdn.com/b/russmax/archive/2014/06/23/part-1-intro-to-provider-hosted-apps-setup-the-infrastructure.aspx
I am facing few issue and I have some question to clarify, if anybody can help.
1) When I inspect my request in dev tools, it give me below form data.
SPAppToken:
SPSiteUrl:
SPSiteTitle:Home
SPSiteLogoUrl:
SPSiteLanguage:en-US
SPSiteCulture:en-US
SPRedirectMessage:EndpointAuthorityMatches
SPErrorCorrelationId:f069e89c-a0cd-20ce-a1c0-7db95db0334b
now when i inspect log with above corelation id, i am finding below errors.
-- Error when get token for app i:0i.t|ms.sp.ext|ab8ff461-bc75-4516-b475-b666ac47eec0#802f23e1-6e11-45d1-909c-07a7b0ab0ce2,
exception: Microsoft.SharePoint.SPException: The Azure Access Control
service is unavailable.
-- App token requested from appredirect.aspx for site: 92bfe5c4-7255-4b09-a89a-07e0e2b03622 but there was an error in
generating it. This may be a case when we do not need a token or when
the app principal was not properly set up.
-- Getting Error Message for Exception Microsoft.SharePoint.SPException: The Azure Access Control service is
unavailable.
a) I belive in high-trust app it shouldn't look for Azure ACS.
Is this error because of some incorrect configuration?
b) SPAppToken is null here. Is it null always in case of hig trust app?
2) Say I am logged into sharepoint with User A and trying to launch sharepoint app.
Within app code I want to get identity of logged in user(which is A). From below code i found that Request.LogonUserIdentity gives me identity of user A. But how can we sure that request is came from sharepoint only. I can copy the same app URL and paste in browser window and login with window credential and get the same result. So question is how can I verify if its legitimate request came from sharepoint only and no one is faking request.
ALos, when I inspect request in dev tools, its passing Authorization key in request header. What is use of this?
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity)) { clientContext.Load(clientContext.Web, web => web.Title); clientContext.ExecuteQuery(); Response.Write(clientContext.Web.Title); }
3) Also what happens if my app doesnt support windows authentication and only support FBA, is there any way to get user identity in this case?
Any help would be much appreciated.
Thanks
For issue #1: It looks to me that the step # 9 (Configure authentication settings) in this section (from the first MSDN article you have referred) was missed, i.e., 'ACS Control service' was selected instead of 'Use a Certificate' option.
For issue #2: There are helper methods in TokenHelper.cs to validate the AccessToken from the HttpRequest, which identifies the validity of the request.