I am using a Cognito User Pool, for SAML integration with my corporate Azure AD directory. Everything has been set up and is working fine locally, as well as on both dev and prod environments associated with one of the apps.
However, when I tried to deploy another app with exactly the same code and configuration, the app works fine locally (i.e. I am able to log in using my corporate credentials) but the deployed sites do not work - both dev and prod keep returning the error The user is not authenticated when the following code is run:
Auth.currentAuthenticatedUser()
.then(currentUser => setUser(currentUser))
.catch((error) => console.log(error));
One of the solutions in SO suggested that the user needs to be confirmed. There are two problems with that:
The account status is set to EXTERNAL_PROVIDER and cannot be altered, and
If the issue was with the user account (or the provider), the other instances (local as well as online) would also have thrown the error.
I configure the callbacks as follows:
awsconfig.oauth.redirectSignIn = `${window.location.origin}/`;
awsconfig.oauth.redirectSignOut = `${window.location.origin}/`;
Amplify.configure(awsconfig);
And I trigger the login using the following code, based on another answer:
<button onClick={() => Auth.federatedSignIn({provider: '<My corp provider string>'})}>
Again, the same code is working fine locally (though still using the same user pool).
Any idea why the user is not being considered authenticated for just these two environments? Any help is appreciated.
Related
Stackoverflow I need your help.
Introduction:
We have two applications that are available through separate domains. These two applications are currently provisioned using Azure AD and PKCE login.
Azure AD manages the clients.
My question now: is it possible to configure Azure AD to allow SSO through these two applications.
Customer logs into application A and switches to B and is logged in there immediately, so without entering PW again.
Somehow I haven't found a tutorial or something similar that looks at this case, maybe I'm searching for the wrong keywords.
Thanks a lot
Application A has A customers -> a.de -> Angular SPA
Application B has A and B customers -> b.de -> Angular SPA
Yeah, hmm, what I tried. I was looking for tutorials or something like that.
I Hope this is possible with Azure AD
I have found a solution.
However, this is not yet finally tested, so to enjoy with caution.
Hints:
The scopes must be enabled in the azure.portal for the applications otherwise it gets stuck in a kind of login loop.
portal.app-reg(not Enterprise APP).Api Permission
In the initial component in ngInit:
const activeAccount = this.authService.instance.getActiveAccount();
const activeAccountEmail = activeAccount?.username;
//loginhin for ssoSilent
const silentRequest: SsoSilentRequest = {
scopes: ['User.Read'], //a scope (aka "permission") refers to any aspect of a resource that an Access Token grants rights.
loginHint: activeAccountEmail
};
//silentsso on inital pageload/reload
this.authService.ssoSilent(silentRequest)
.subscribe({
next: (result: AuthenticationResult) => {
console.log('SsoSilent succeeded!');
},
error: (error) => {
console.error("ERROR: "+error);
this.authService.loginRedirect();
}
});
I'm working on standing up a Playwright testing framework around our front-end PHP application to prototype automated testing for our team. Our authentication is managed by Azure Active Directory with 2FA as well as Conditional Access for our devices. The problem I'm encountering is the conditional access not liking the pseudo-incognito Chromium browser used by Playwright. Below is the message I get while attempting my login in the Edge InPrivate window (same error message as Chromium):
I've gone through the authentication section on Playwright's documentation as well as searching, but I'm not having any luck with getting past the conditional access issue. The failing TypeScript code I'm currently running is:
import test from "#playwright/test";
const { chromium } = require('playwright');
test('Log into Application', async () => {
const userDataDir = '\UserData';
const context = await chromium.launchPersistentContext(userDataDir, { headless: false });
const page = await context.newPage();
await page.goto('https://MyApplication.com');
await page.pause();
})
Any help would be deeply appreciated.
According to last bulleted point in Grant controls | Microsoft Docs.
Conditional Access cannot consider Microsoft Edge in InPrivate mode as
a compliant device or an approved client app.
In normal chromium browser (not in private mode ) to work,you need to install and run a supported browser, based on your operating system. If you're using Windows 10, the supported browsers include Microsoft Edge, Internet Explorer, and Google Chrome.If you're using a different operating system, you can check the complete list of supported browsers.
(Or)
The error message may be because the Global admin was created an conditional access policy in the Office 365 tenant at your company due to security reason, so only specific device registered in Azure, will be allowed to use for you. So, in that case you should talk with the "IT HelpDesk" department at your company, and you should ask them to configure and allow all browsers there.
An administrator can make use of access controls to either grant or block access to resources : Grant controls
You may need to contact the admin to raise a support ticket from the Office 365 admin center for further investigation
Reference: Troubleshooting compliance error
If you have global admin rights,You can troubleshoot unexpected
sign-in outcomes related to Conditional Access using error messages
and Azure AD sign-ins log.
You can click on more details and see the information.
Sign in to the Azure portal as a global administrator, security administrator, or global reader
Browse toAzure Active Directory > Sign-ins.
Find the event for the sign-in to review. Add or remove filters .
The Conditional Access tab will show the specific policy or policies that resulted in the sign-in interruption.
You can see and check basic info, device details whether registered or not and other policy details that are not compliant .
For complete details of troubleshooting. Please check this Troubleshooting | Microsoft Docs for complete details of troubleshooting.
Reference:
You Can’t Get There From Here – Vince's Server Stuff (vincecarbone.com)
I'm trying to use one AAD App-Registration for both, a Web-API and a WPF Client APP. I've managed to configure the App-Registration correctly for my Web-API, but now I want to add a Native-Client APP to the same Registration, where a WEB-Registration is allready set up.
It works for me if I'm using only one of them, so if i register only the Web App it works. The same is true for the Native-Client App.
So I'm wondering if it is possible to combine those two and only use one App-Registration.
This is the error I get when trying to acquire a token with both registrations:
MSAL.NetCore.4.25.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details.
You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.
Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Thank you in advance.
Use one AAD App Registration for both is not recommended although it seems to be able to meet your identity authentication needs. But generally we will need to use app roles or some other configurations, it will be very confusing in this case. It's recommended to use 2 app registrations.
The AADSTS7000218 error means you didn't put client_secret.
I have a Asp.net MVC application that uses Azure AD and OpenID Connect OWIN middlewares to handle authentication. Everything works fine except for one thing : if a user is already logged-in on another Microsoft Application lets say a Office 365 account or maybe a live mail account, when trying to login it recives a page saying that it is not allowed to log into my app, which is correct, but some how I need to catch that situation in my code to allow the user to sign in with a different account. Is there a way of doing that? This is by design? I mean : the user have to log in only with a live/azure account at the time ? I couldn't find any documentation about this.
As of today there is typically one user at a time, but we will soon support for you a way to select a specific user instead of automatically signing you in with the most recent one.
One way you can work around this today is by injecting the parameter "prompt=login" in your sign in requests. You can do that in the RedirectToIdentityProvider notifications, similarly to what is showin in http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/ for domain_hint. This will cause the sign in experience to always start with a fresh prompt even if the user is already signed in. The draw back is that you'll never get SSO this way. Hopefully our account switiching feature will become available soon, keep an eye on http://blogs.technet.com/b/ad/ for announcements
I receive "Unauthorized" exception on the host side for a provider-hosted App for SharePoint 2013.
Uri hostWeb = new Uri(Request.QueryString["SPHostUrl"]);
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity))
{
clientContext.Load(clientContext.Web, web => web.Title);
clientContext.ExecuteQuery();
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
}
Certificates were installed, Anonymos access was disabled. I can't understand the reason of this problem.
I have ran into the exact same problem before... i resolved it by implementing OAuth and have it redirect to the app main page with "write" permission.
Response.Redirect(TokenHelper.GetAuthorizationUrl("mysharepoint.com", "Web.Write", "myapp.com/default.aspx"));
Basically what this does is that it'll authentication the login user with your sharepoint site, once it's authenticated, it'll redirect (with write permission) to your app site.
Here is how to implement OAuth: http://msdn.microsoft.com/en-us/library/office/jj687470(v=office.15).aspx
Looks like this is High Trust App. If you have exhausted the tips at http://msdn.microsoft.com/en-us/library/fp179932.aspx, then there is an illformed SPTrustedSecurityTokenIssuer. You can find out all of them using the below PS. Ideally it should be IssuerId#Realm. If there is one which is not, then remove that. But remember not to remove first one which is for workflows
Get-SPTrustedSecurityTokenIssuer | select Name,RegisteredIssuerName
First you have to Check user in 'Request.LogonUserIdentity'. actually this happens when your user does not have access to your site in IIS.
so to set the correct user in 'Request.LogonUserIdentity' follow the below steps:
open your IIS --> Authentication -->Anonymous Authentication --> edit--> Specific user [ User which you get in 'Request.LogonUserIdentity']. --> iisreset
now user have permission to access your IIS site.