Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec - azure-active-directory

I am using Azure AD as ADFS and I get response from it in the ACS route, however I am getting:
AuthenticationException: Invalid X509 certificate chain. Certificate name:'CN=accounts.accesscontrol.windows.net' and thumbprint:'9CEA376******251D1F'. Chain Status:'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'..
When running: binding.Unbind(httpRequest, saml2AuthnResponse);
Note that same Saml2Configuration was done in the request and in the response.
any idea what could be the problem?

For the chain to validate successfully. The certificates root certificate has to be installed on the machine as a trusted root certificate. This is not possible in e.g. a Azure App Service.
The check kan be disabled by configuring "CertificateValidationMode": "None" in appsettings.json.
Sample code: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json#L19

Related

Active Directory SSL certificate

I already setup wifi AD authorization. When users connect, they see an error that the certificate is self-signed and not trusted. I bought a signed SSL, but I don't know how to feed it to AD.
thanks in advance
i tried replacing the certificate but they are not the same at all

Issue in Logic app workflow connects to eventhub

I am getting below error in my logic app workflow, I have schedular->MQ->Azure EventHub connectors. I can see message coming till MQ and there is failure in eventhub with below error. Appreciate for any suggestion why this error is comming up, and how to overcome this.
"BadRequest. Http request failed as there is an error: 'The SSL connection could not be established, see inner exception."
You might be receiving this due to Authentication or certificate errors.
You can check for the connection you are establishing while creating the event hub connector.
Authorize access to an event hub by using a Sytem assigned managed identity.
Try checking certificate expiration - To configure service principals with certificate credentials where Azure AD can be used to build a service principal with restricted access at the resource level. Azure Key Vault may be utilised with Azure-managed identities in both scenarios, such that the runtime environment, such as an Azure function, can get the credential from the key vault.
Also you can try checking the inner exception that is occuring and take further actions accordingly.
REFERENCES:
Azure security baseline for Event Hubs
Authentication a managed identity with Azure Active Directory

Service Principals and CRL checking

Does a Service Principal (SP) check the CRL for the cert that is used to authenticate the SP?
I have a client that is concerned over the use of SP with Certificates for authentication and wants to understand what happens if the certificate used for authentication is revoked.
Service Principal checks the "Certificate Revocation List" (CRL). To revoke a client certificate, Azure Active Directory fetches the certificate revocation list (CRL) from the URLs uploaded as part of certificate authority information and caches it. The last publish timestamp in the CRL is used to ensure the CRL is still valid. The CRL is periodically referenced to revoke access to certificates that are a part of the list.
To configure the certificate in Service principal, you can create certificate locally and go to the manifest of Service Principal and update the KeyCredential part like below:
Below is the documentation link for configuring revocation:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started#step-3-configure-revocation
I hope it helps.

Setting up Azure AD Connect

I'm trying to install the preview of Azure AD Connect:
https://connect.microsoft.com/site1164/program8612
During the setup, you can configure the sign-in method for users, synchronization or a federation with ADFS. I want to use ADFS, and I want the setup to configure a new ADFS farm. The setup wants a SSL certificate, so I've made a self-signed certificate and exported it as a .PFX file. However, the setup won't accept the certificate, it states "The certificate is invalid or corrupted. Please try another certificate"
I selected another certificate which I've used for a website, and I get the same result. The certificate chain is OK, I've tried to install the certificate, but no matter what, the setup keeps rejecting the certificate. I can't find any further info in the eventlog or setup log file, and since the Azure AD connect software is quite new and still in preview, there's not much info on the web regarding the installation.
Any ideas on how to make this work?
It is mandatory for AD FS to use a third-party signed certificate. If you don't want to pay for a certificate, you can use one from wosign which is free and publicly trusted (as an intermediate certification authority from VeriSign or similar I think).

Unrecognized X.509 certificate format error in SSO settings page

I tried to configure SSO using OpenAM in salesforce.I have done the following steps.
Configured the Circle of trust
Configured the identity provider
Configured the Salesforce as the service provider
and download the identity provider certificate in OpenAM
I received the following error in Salesforce SSO settings page while saving set-up page
Unrecognized X.509 certificate format error in SSO settings page
Please help me to successfully configure SSO using OpenAM in salesforce.
Thanks in advance...
If you export the certificate on OpenAM side, you may check if the boundaries 'BEGIN CERTIFICATE' ... 'END CERTIFICATE' are on a separate line

Resources