I'm attempting to build SAML SSO in Azure AD for an external app. If I try to create a signing certificate, or import a .pfx that I know was created with SHA256, Azure does not allow the selection of SHA256. The option is greyed out and stuck on SHA-1. The Azure AD tenant is part of a large organization. Could this be a global option or something specific to the tenant itself that is limiting this option? Thank you!
I was trying the same but was able to select any of both signing algorithm options.
Thought it was due to expiry date having need to be between three years from uploading as said in this Manage federation certificates - Azure AD | Microsoft Docs .And checked uploading a new certificate with expiry 2031 and with both algorithms sha-256 and sha-1 each time but still was able to get the options for algorithm successfully.
Possible causes:
Older ASA versions may not support SHA-256 cert presented by Azure
Please check if the certificate is uploaded with required algorithm and check by changing expiration date.
Sometimes it may be due to changes taking time to effect in portal .Retry after giving it sometime by closing all.
Incorrect Configuration properties might also be the cause.
Otherwise you can raise a support request from Overview page > Troubleshooting + Support >New support request.
References:
Azure SAML Implementation | Bitwarden Help & Support
Change signature hash algorithm for Microsoft 365 relying party trust - Azure | Microsoft Docs
Configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML - Cisco
Related
I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.
I have an existing IdentityServer4 installation that is used to federate users between things like Google & Microsoft into a single login identity. In my situation, there are no local user credentials/passwords. Just the identity with an associated external provider. I'm trying to migrate to using Azure B2C and am hitting some roadblocks.
I've found that if I use the same ClientId and ClientSecret that IdentityServer is configured with, then I get the same IDs for users when signing in via an external identity provider. Which is great because I need them to be the same in order to try and migrate accounts over by reading them from the existing MSSQL database, and importing into Azure B2C using MS Graph.
I need to allow both Microsoft work accounts, as well as personal ones. So I need to use custom policies to allow for a multi-tenant configuration, since the built in provider doesn't support this.
However as soon as I flip my implementation over from the built in user flows and provider, to using custom policies, I don't get the expected issuerAssignedId anymore. Originally, the IDs looked something like AAAAAAAAAAAAAAAAAAAAAHGFdaj94jfdsgjifdh4ngd (made up, but you get the idea). Now with the custom policies, the issuerAssignedId being recorded in the B2C user looks like a GUID. So not just a different value, but a total different format. Am I missing something here? What would happen if someone has an fully operational AzureB2C install with built in functionality, and later identified a need to move to custom policies. How would users ever be able to look into their existing accounts with an external identity provider?
My TechnicalProfile for the multi-tenant sign is is essentially copy/pasted from their documentation, so I'm not sure what the deal is here?
My References
According to this,
Starting June 30th, 2020 we will no longer add any new features to
Azure Active Directory Authentication Library (ADAL) and Azure AD
Graph. We will continue to provide technical support and security
updates but we will no longer provide feature updates. Applications
will need to be upgraded to Microsoft Authentication Library (MSAL)
and Microsoft Graph. Learn more
And this,
Starting June 30th, 2022, we will end support for ADAL and Azure AD
Graph and will no longer provide technical support or security
updates. Apps using Azure AD Graph after this time will no longer
receive responses from the Azure AD Graph endpoint. Apps using ADAL on
existing OS versions will continue to work after this time but will
not get any technical support or security updates.
and this link,
using Microsoft.IdentityModel.Clients.ActiveDirectory; // ADAL
using Microsoft.Identity.Client; // MSAL
ADAL should be replaced by MSAL. However, my project does not reference either of the above libraries.
These are the references I have in my project.
Microsoft.IdentityModel.JsonWebTokens
Microsoft.IdentityModel.Protocols.OpenIdConnect
Microsoft.IdentityModel.Tokens
Microsoft.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.OpenIdConnect
Owin
Questions
The more I read about this topic the more I get confused because one minute I'm under the impression that ADAL is only authorization and not authentication and the next minute I see it referred to as ADAL Authentication. I just want to know if I need to update my authentication code for it to continue working.
Since my project does not reference Microsoft.IdentityModel.Clients.ActiveDirectory and only uses Azure AD for authentication and not authorization, does this mean this change will not affect me?
ADAL and MSAL are only for authorization and not authentication correct? If this is the case, why do they reference MSAL and Microsoft Graph, what is the difference?
Since you did not use either of the libraries(Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Identity.Client) and you only use Azure AD for authentication, so I don't think this change will affect your project.
For your question about why they reference MSAL and Microsoft Graph but not ADAL and Azure AD Graph. In fact, the two are similar and changes are minor. You can refer to this document to know the differences between them.
The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to June 30, 2023. Ref to the ADAL to MSAL Migration Document here
I have an issue where SSO link based on SAML is failing due to the fact IdP signing certificates are constantly changing.
I (as SP) have a configuration which is based on IdP's federation metadata, it has two signing certificates (X509). Things are working as expected.
Few weeks later, SSO link is broken due to the fact IdP is returning SAML Response with different signing certificate. I checke it's metadata, yep different signing certificates.
How do I implement my end (as SP) that my SAML Request includes x509 being used by IdP?
As well, is it common practice for IdP to constantly change singing certificates? I never had this issue before and I have a handful year-old SSO integration based on the same strategy: exchange of metadata. Is it possible to configure at IdP so that certificates are not being changed?
The IdP is Azure AD.
I (as SP) am using OneLogin PHP toolkit.
My app was configured as non gallery application.
The approach you took - configure non-gallery application give you the full control over the SAML integration. With your full control comes also your full responsibility.
To your question:
is it common practice for IdP to constantly change singing
certificates?
Yes, it is common and good practice. Well, not every two weeks, but at most an year.
Coming back to your changed signing certificate. The link that used in your original question (this one) has an explicit section about certificate. The section is called Review certificate expiration data, status, and email notification. This explains about the certificates. If you continue to read through the same section you will end up seeing another reference: Manage certificates for federated single sign-on in Azure Active Directory, where you will find even more information about certificate management in the IdP side.
We uses Azure AD for the SAML Authentication process. Azure is set up as the trust provider using the Federated Metadata that is published by Microsoft here: https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml, we configure X509Certificate value in our system to validate the trust so to authenticate the login. We observe the signing certificate changes, that incurs to the change in the certificate value in turns leads to login issues on our system.
Any clue to fix this? Thanks in advance.
You're right.This is changed by Azure. It's called Signing key rollover. It will affect your application indeed.
For security purposes, Azure AD’s signing key rolls on a periodic
basis and, in the case of an emergency, could be rolled over
immediately. Any application that integrates with Azure AD should be
prepared to handle a key rollover event no matter how frequently it
may occur. If it doesn’t, and your application attempts to use an
expired key to verify the signature on a token, the sign-in request
will fail.
How to resolve this:
I understand what you mean and why. But currently, Azure doesn't have notification for this signing key rollover. I also came across this issue. Acutlly, the best resolved method is make my application to handle key rollover automatically by code.Here is some examples.
Otherwise, you need to write scripts to monitor the chagnes if your application does not support automatic rollover .This GitHub repository contains scripts and instructions on how to do this.
I have reported this issue to the Azure PG Team.
Hope this helps!