I am using my custom STS as IDP with Azure ACS with a WCF service as RP.
I am getting the following error while getting the ACS token-
ACS10002: An error occurred while processing the SOAP body. ACS50000: There was an error issuing a token.
Trace ID: 810078c0-d799-4652-9152-cff0b730d4bd
Timestamp: 2013-10-19 14:18:29Z
The error is not giving me a clue as to what is happening actually. Is there a way to ask the MS support to use the trace id to get the error details.
Yes. If you have a support plan you can provide the trace ID you see along with your subscription and ACS namespace and they should be able to look up the issue.
Before you try support however, make sure you explore the exception for more than just the Message property. Usually there is a lot more information buried within the exception in the details or inner exception.
Here is a link to the ACS Error Codes on MSDN.
Related
I am trying to use Microsoft.Graph to access the onedrive files. I am referring to the sample provided on GitHub link
https://github.com/OneDrive/onedrive-texteditor-js
in this sample while getting the file link(CreateLink). I am getting following error
{"error":{"code":"InvalidAuthenticationToken","message":"CompactToken parsing failed with error code: 80049217","innerError":{"date":"2022-03-21T12:49:24","request-id":"45725ccf-a752-45c3-8208-9040e4177e4b","client-request-id":"45725ccf-a752-45c3-8208-9040e4177e4b"}}}
Do I need some subscription to do this setting or am I missing anything?
Is there any other setting is required to resolved this access issue?
Is there any other way of getting the sharelink of onedrive file?
What I have tried:
I have given API Permissions in Microsoft azure application of which I have used the applicationId in request. I have found one URL: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer%2Cprogramming-language-csharp.
(Configure App Service to return a usable access token) But I could not find this setting in my azure application.
Please check below 2 steps to diagnose the problem,
1.Login into https://developer.microsoft.com/en-us/graph/graph-explorer , Hit the same API and check access token on jwt.ms and make sure you have required permissions to perform.
2.Also check your token expiry time (exp), might be it got expired. Go to jwt.ms to check token details, check the attached image to see where you find token exp_time.
If the token got expired ,please follow the docs to get new token.
I am trying to set up OKTA as an external identity provider in Azure B2C with custom policies. When I try to sign in, I receive the following error
AADB2C90289: We encountered an error connecting to the identity provider.
Please try again later.
Correlation ID: xxx
Timestamp: 2021-10-14 16:53:12Z
I have followed this tutorial - https://learn.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy.
I also followed a number of articles on this but no concrete solution anywhere.
I'm using custom policy to invoke a REST API to get something from database and return in claims. It works fine but I need to extend the feature to send extra error code and error message in case any exception happens. I already returned such information as requested ("status":409, "userMessage":). But I don't know where I can get it (in HTTP header/body/somewhere else?). I understand that I can return such information in another claim. But since AAD B2C provides the status code and userMessage there must be a way to use it. Could someone please enlighten me? Thanks a lot.
enter image description here
The error message itself can’t be accessed as a claim. If you want processing to continue, then return a HTTP 200 with a JSON representing the error and use preconditions to control the journey in this case.
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
Error Code ACS50008: SAML token is invalid.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here: metadata .
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different than similar question found here since my inner exception details do not suggest any reason.
UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.
Thanks in advance,
Constantinos
I finally figured this out with the help of ms support on Azure.
It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.
So for anyone that happens to be in my position I nailed two possible reasons for this to happen.
Reason: the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="....">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.
Reason: a hidden inner exception that can be seen only with the help of ms support using your error's trackingId.
Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException :
ACS20001: An error occurred while processing a WS-Federation sign-in
response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException
: ACS50008: SAML token is
invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException
: Principal with name 'https://login.mydomain.com/' is not a known
principal.
In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!
You can always create a support case with Microsoft and have them help figure it out:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn