I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.
Error Code ACS20001: An error occurred while processing a WS-Federation sign-in response.
Error Code ACS50008: SAML token is invalid.
I have searched through the forums but in my case I dont get any more detail on the error and do not know how to proceed and fix this.
My STS is currently on beta and can be reached here: metadata .
If anyone has any suggestions or wants to give it a try please contact me via email and I will open a demo login on my custom provider.
note: The case is different than similar question found here since my inner exception details do not suggest any reason.
UPDATE: check the discussion in this thread for some additional informaton and the payloads I extracted from fiddler.
Thanks in advance,
Constantinos
I finally figured this out with the help of ms support on Azure.
It seems that the "ACS50008: SAML token is invalid" error is quite generic and usually there is more information in an inner exception that does not end up on the error screen. Why this happens is still a mystery for me.
So for anyone that happens to be in my position I nailed two possible reasons for this to happen.
Reason: the time of the client mismatches the time of ACS, namely NotBefore below is a time in future when looked by ACS. Action: <saml:Conditions NotBefore="...." NotOnOrAfter="....">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour.
Reason: a hidden inner exception that can be seen only with the help of ms support using your error's trackingId.
Microsoft.Cloud.AccessControl.Common.Diagnostics.SignInException :
ACS20001: An error occurred while processing a WS-Federation sign-in
response.Microsoft.Cloud.AccessControl.Common.Diagnostics.ServiceException
: ACS50008: SAML token is
invalid.Microsoft.IdentityModel.SecurityTokenService.IssuerNameNotSupportedException
: Principal with name 'https://login.mydomain.com/' is not a known
principal.
In my case the principal name should not contain the forward slash at the end. We changed it from https://login.mydomain.com/ to https://login.mydomain.com and the error went away!
You can always create a support case with Microsoft and have them help figure it out:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn
Related
I have created a custom policy to use the Authenticator App from the following example code:
https://github.com/azure-ad-b2c/samples/blob/master/policies/totp/policy/TrustFrameworkExtensions_TOTP.xml
The issue I am having is that it will sign up a new user, but when it is supposed to redirect to the page to show the QR code, it fails with the following error shown in AI.
Exception Message:A Claim of ClaimType with id "totpIdentifier" was not found, which is required by the ClaimsTransformationImpl of
Type "Microsoft.Cpim.Data.Transformations.FormatStringMultipleClaimsTransformation" for TransformationMethod "FormatStringMultipleClaims"
referenced by the ClaimsTransformation with id "CreateUriLabel" in policy xyz
The user is created correctly, as the next login will show the QR code and after going through the process, will give me my token.
I do understand the error, but I do not know how to fix it.My guess is that the sequence of events is not correct, but "CreateUriLabel" should be called after "TotpFactor-Input" where "totpIdentifier" gets set.
Has someone got an idea on what to look at?
just for completion, it ended up being a branding file that was causing the issue.
I am trying to use Microsoft.Graph to access the onedrive files. I am referring to the sample provided on GitHub link
https://github.com/OneDrive/onedrive-texteditor-js
in this sample while getting the file link(CreateLink). I am getting following error
{"error":{"code":"InvalidAuthenticationToken","message":"CompactToken parsing failed with error code: 80049217","innerError":{"date":"2022-03-21T12:49:24","request-id":"45725ccf-a752-45c3-8208-9040e4177e4b","client-request-id":"45725ccf-a752-45c3-8208-9040e4177e4b"}}}
Do I need some subscription to do this setting or am I missing anything?
Is there any other setting is required to resolved this access issue?
Is there any other way of getting the sharelink of onedrive file?
What I have tried:
I have given API Permissions in Microsoft azure application of which I have used the applicationId in request. I have found one URL: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer%2Cprogramming-language-csharp.
(Configure App Service to return a usable access token) But I could not find this setting in my azure application.
Please check below 2 steps to diagnose the problem,
1.Login into https://developer.microsoft.com/en-us/graph/graph-explorer , Hit the same API and check access token on jwt.ms and make sure you have required permissions to perform.
2.Also check your token expiry time (exp), might be it got expired. Go to jwt.ms to check token details, check the attached image to see where you find token exp_time.
If the token got expired ,please follow the docs to get new token.
I'm using custom policy to invoke a REST API to get something from database and return in claims. It works fine but I need to extend the feature to send extra error code and error message in case any exception happens. I already returned such information as requested ("status":409, "userMessage":). But I don't know where I can get it (in HTTP header/body/somewhere else?). I understand that I can return such information in another claim. But since AAD B2C provides the status code and userMessage there must be a way to use it. Could someone please enlighten me? Thanks a lot.
enter image description here
The error message itself can’t be accessed as a claim. If you want processing to continue, then return a HTTP 200 with a JSON representing the error and use preconditions to control the journey in this case.
I'm testing Azure B2C with Salesforce as IdP, and the login process works fine from Salesforce perspective (Salesforce Identity Provider Event Log show "success" for sing-on attempts), but redirection back to simple testing web application ends up to error page such as
/redirect.html#error=server_error&error_description=AADB2C90037%3a+An+error+occurred+while+processing+the+request.+Please+contact+administrator+of+the+site+you+are+trying+to+access.%0d%0aCorrelation+ID%3a+f0292157-ffad-472d-8119-3cd05518654c%0d%0aTimestamp%3a+2018-02-13+15%3a01%3a54Z%0d%0a
Looking at Application Insights, I see error:
A claim could not be found for lookup claim with id "objectId" defined in
technical profile with id "AAD-UserReadUsingObjectId" policy
"B2C_1A_SignUpOrSignInUsingSalesforce" of tenant "xyz.onmicrosoft.com".
I've followed the tutorial here and double checked lots of things, but not sure it this issue is due to invalid UserJourney or ClaimsProvider/TechnicalProfile. Or is it just that I'm missing respective user in Azure B2C that I have in Salesforce?
I don't at least see 'objectId' incoming in saml:Assertion:
<saml:Assertion xmlns:samlp=\""urn:oasis:names:tc:SAML:2.0:protocol\"" xmlns:xsi=\""http://www.w3.org/2001/XMLSchema-instance\"" ID=\""_b0b0193ce1e861e13ec39f9a991cb3501518533690616\"" Version=\""2.0\"" IssueInstant=\""2018-02-13T14:54:50.616Z\"" xmlns:saml=\""urn:oasis:names:tc:SAML:2.0:assertion\""><saml:Issuer Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"">https://XYZ.my.salesforce.com</saml:Issuer><saml:Subject><saml:NameID Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"">jussi.palo#XYZ.com</saml:NameID><saml:SubjectConfirmation Method=\""urn:oasis:names:tc:SAML:2.0:cm:bearer\""><saml:SubjectConfirmationData NotOnOrAfter=\""2018-02-13T14:59:50.616Z\"" Recipient=\""https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer\"" InResponseTo=\""_50a752dd-244c-4447-9ac9-6338e8bb692e\"" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\""2018-02-13T14:54:20.616Z\"" NotOnOrAfter=\""2018-02-13T14:59:50.616Z\""><saml:AudienceRestriction><saml:Audience>https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\""2018-02-13T14:54:50.616Z\""><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\""userId\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">0050N0000060rpy</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""username\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""email\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""is_portal_user\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
For some reason, the User Journey Player isn't showing anything, so I'm thus far been stuck with Application Insights.
Looks like it was confusion on what Starter Pack policy files should be used with the Salesforce instructions. Turned out using "SocialAndLocalAccounts" policy files as a basis did the trick, so my UserJourney was not right at first.
I will leave the question here for anyone else running into similar error messages.
I am using my custom STS as IDP with Azure ACS with a WCF service as RP.
I am getting the following error while getting the ACS token-
ACS10002: An error occurred while processing the SOAP body. ACS50000: There was an error issuing a token.
Trace ID: 810078c0-d799-4652-9152-cff0b730d4bd
Timestamp: 2013-10-19 14:18:29Z
The error is not giving me a clue as to what is happening actually. Is there a way to ask the MS support to use the trace id to get the error details.
Yes. If you have a support plan you can provide the trace ID you see along with your subscription and ACS namespace and they should be able to look up the issue.
Before you try support however, make sure you explore the exception for more than just the Message property. Usually there is a lot more information buried within the exception in the details or inner exception.
Here is a link to the ACS Error Codes on MSDN.