I have a question about the SAML and MFA protocol. I have an app that acts as a ServiceProvider to an IdentityProvider, in my case AzureAD, and I would like to know if it is possible to insert some parameter/attribute in the SAML request that allows you to request the MFA during login on the IdP in order to request it when needed (under certain codes) and not always. It's possible to do it? Or is it something I can only set at the IdP level, so on AzureAD?
Thank you
Azure AD MFA cannot be initiated on a per client request, it's initiated on a per tenant request.
Related
I am trying to have an IdP initiated sign on with a B2C Local account to Salesforce. Under my current configuration when I navigate to my IDP to login, I receive the following error: "AADB2C90250: SAML IDP initiated SSO is not enabled for this policy."
I have ensured that <Item Key="IdpInitiatedProfileEnabled">true</Item> under the technicalprofile in my custom policy. I'm not sure what other configuration to check and am looking for suggestions.
I'm using Azure AD B2C as IDP and Salesforce as IDP. Originally it was created for SP.
For PartyEntity I'm using the same endpoint for SalesForce. Do I need a different end point or can I use the same one? Here's an example of my configuration.
I have a new setup for IDP initiated and have referenced that policy below.
<Item Key="PartnerEntity">https://<MY_SALES_FORCE_ACCOUNT>.my.salesforce.com/.well-known/samlidp/<API_POLICY>.xml</Item>
<Item Key="IssuerUri">https://<MY_DOMAIN>.b2clogin.com/<MY_DOMAIN>.onmicrosoft.com/<POLICY_NAME></Item>
Any other clues on this error would be helpful. Thanks.
• Please check whether a SAML response signature is created properly or not and the certificate created to sign the SAML messages is proper or not with samlp:Response message element in the SAML message or not.
• If you don't already have a policy key, create one. Then configure the SamlMessageSigning metadata item in the SAML Token Issuer technical profile. StorageReferenceId must reference the policy key name.
• Make sure the technical profile and application use the same signature algorithm and the algorithm supports your certificate.
• Make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.
• Make sure you specify the certificate to be used to sign the SAML assertions sections of the SAML response. Also, check the SamlAssertionSigning metadata item in the SAML Token Issuer technical profile where StorageReferenceId must reference the policy key name.
• Make sure encryption is enabled in the Azure AD B2C policy and the public key must exist in the SAML application's metadata endpoint with the KeyDescriptor use value set to Encryption.
• Also, make a note that scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce is not supported and IdP initiated flow is supported only for local account authentication in Azure AD B2C.
Please check the below links for more information and the sample code for IdP initiated SAML single sign on: -
https://github.com/azure-ad-b2c/saml-sp/tree/master/policy/SAML-SP-Initiated
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
We have an application for which we would like to enable users to login into our application with their own Identity Providers like Google, ADFS etc with SAML 2.0 as protocol.
In this context our application will be SP and Identity Providers will be Google, ADFS.
But currently we don't have SAML implementation at our application, so we would like to use some platform like OneLogin/Okta/Auth0 as middle proxy between our application and IdP so that SAML related handling can be done at OneLogin/Okta/Auth0 and we need to get callback to our application with user details after success login.
Is this possible with any SASS based SAML providers? and how to do it.
Thanks in advance
Yes - connect to Auth0 / Okta via OpenID Connect and then connect the IDP to other IDP via SAML.
So in this context, Auth0 / Okta is a SAML SP.
Have a look here.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
Because of xyz reasons, we don't have Service Provider (SP) to place SAML login request. So, here my question is will it be possible to login into SAML through IDP directly? If it is possible, could you please explain steps? We are using Webservices, please remind this.
The IdP can read SAML tokens but only when they are grouped using a profile. A common profile is the browser based WBSSO. So in order to talk to the IdP you need an SP. The SP just groups the SAML tokens into a profile the IdP can understand. Most SAML profiles are browser based but have a look at the ECP profile for non browser access https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
This is the 1st time I am working in SSO with SAML.And we are going to use the HTTP Post method and the IDP is salesforce. I got below Steps from net.
User accesses a custom application for the first time
Service Provider Security Filter checks if the security context is available
and redirects the user to IDP with a SAML SSO request
IDP challenges the user with the authentication dialog and redirects the user to
Request Assertion Consumer Service (RACS) after the user has authenticated
RACS validates the response from IDP, establishes a security context and redirects the user
to the original application endpoint
Service Provider Security Filter enforces that a valid security context is available and lets the user access the custom application.
Here my Question is IDP needs to authenticate application endpoint. Here the SAML plays between common web page to IDP to initiate SAML request/response. Then how the IDP connect to endpoint? Is that follow any other language to connect and authenticate endpoint? else how it connects? Could you please someone explain the concept?
During configuration of SAML at your Identity Provider, you define an AssertionConsumer endpoint, which is an URL at your application where you expect to receive response from the IDP. After authentication, IDP connects to this endpoint by sending a SAML Response message to it. IDP typically authenticates to the endpoint by digitally signing the SAML message, which you then verify for validity and trust.
The ways of sending SAML messages between IDP and SP (= connecting IDP to the endpoint) are called bindings. Bindings define how exactly to use existing protocols (such as HTTP) to deliver SAML messages, i.e. it tells what parameters should be sent, which HTTP method should be used... Bindings are part of the SAML 2.0 standard and you can find details on how they function in the SAML 2.0 specification.
The IDP does not directly communicate with the original URL within your application (i.e. the "original application endpoint"). The process of sending user to the correct destination after successful verification of the SAML Response (received at the Assertion Consumer endpoint) can be fully determined by you. For example, in case Assertion Consumer endpoint and the "original application endpoint" are part of the same application and share the security context, you can simply send an HTTP redirect, without need for SAML in this "last mile".