SimpleSamlPHP and Azure AD integration. Stuck in AADSTS50011 error - azure-active-directory

I can't seem to get past this error. I am able to login into Microsoft, but after, that error shows up. I have tried all set these reply URL's inside Azure, but still nothing:
https://sso.xxxx.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
https://sso.xxxx.com/simplesaml/module.php/saml/sp/metadata.php/default-sp/module.php/saml/sp/metadata.php/default-sp
https://sso.xxxx.com/simplesaml
https://sso.xxxx.com/
This is my simplesaml config file:
'baseurlpath' => 'https://sso.xxxx.com/simplesaml',
Here is my Authsource:
'default-sp' => [
'saml:SP',
'entityID' => 'xxxxxx-4521-4587-9b30-xxxxxxxxxxxx',
'idp' => 'https://sts.windows.net/xxxxxx-f963-4bc4-98a8-xxxxxxxxxxxx/',
'discoURL' => null,
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',
Am I missing something in the config? I test it via SimpleSamlPHP Test authentication sources:
https://sso.xxxx.com/simplesaml/module.php/core/authenticate.php?as=default-sp
and also via sourcecode in another website:
https://www.xxxx.com/nxsso/login

This issue will occur when the redicrect_uri doesn't match the redirect uri in Azure portal.
You can use the fiddler to capture the auth request url, you will find the redirect_uri in the authorize endpoint. Then use this one in Azure portal.
The auth request url is something like
https://login.microsoftonline.com/{tenant}/oauth2/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%3A12345 &response_mode=query &resource=https%3A%2F%2Fservice.contoso.com%2F &state=12345
You will find the real redirect_uri.
Update: You should be able to find the request url before enter your username.

Related

Azure AD provisioning IS never sending request to the POST /Users/ endpoint when creating user

I am trying to implement the Azure AD Scim provisioning, I have successfully setup the /Users/ GET endpoint. But when starting the provisioning process, it just never sends the POST request to create the User. I have tested all of the /Users/ endpoints (GET, POST, DELETE, PUT) via postman and they work.
This is the response im sending in the first GET step:
"id" => "urn:ietf:params:scim:api:messages:2.0:ListResponse",
"totalResults" => 0,
"itemsPerPage" => 10,
"startIndex" => 1,
"schemas" => ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources" => []
I have yet to implement a response for the POST request as I am not receiving it, so I dont know what data I am gonna receive.
Also I cannot edit the settings now, everytime I click on save it just says this:
EDIT-------
I have run the provisioning just now azure says that everything was set successfully, but the Create POST request never came!!!??? HOW??
Apache access.log is just showing GET requests
This was an issue in my router. The framework I was working with was changing the url route from /scim/Users/ to /scim/users/ which was causing the bug.
I dont know how the provisioning setup went through though. And even worse, why did it show me, that the provisioning was successful :D.
EDIT:
The start provisioning / stop provisioning is sometimes bugged. Where it will tell you that the cycle went through, but the requests never came.

Get error "login.live.com page can’t be found" when invoking Azure Ad as external IDP in IdentitySrever4

I try to follow this tutorial to add Azure Ad as another external IDP for my IdentityServer4 service (I have gotten Windows and Google working already). I can get the "Azure Ad" button displayed on my IdentityServer login page now, but when I click on it, I get the following error returned:
Here is how I configured Azure Ad in ConfigureServices of my Startup class. I also tried replacing "aad" with "oidc", which is what I used and worked in Google, but no difference here.
and here is how my Azure Ad account configuration looks like. The colors match up with above indicating the values I use in my code:
Can someone tell me what I may be doing wrong here?
Initially please try by deleting history in the browser and use "login.microsoftonline.com/<tenantId>/v2.0/" as authority string.
And options.CallbackPath = "/signin-oidc"; options.ResponseType = "code id_token";
NOTE : The identity platform which is used by Microsoft has a character limit for links. This type of error will appear if the authorization request or link is longer than the said limit,.
Protocols like OpenID Connect, allow state as a parameter in the authorization request, and the identity provider will return that state in the response as you can find that in error page you provided .
Because of which the request URL becomes large as sometimes the state parameter is long.(which might be the possible case here)
Try to call the AddOidcStateDataFormatterCache extension method on the IServiceCollection in startup class which uses the distributed cache in the backend like:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetUsers());
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
// ...
})
you can write the way as below :
services.AddOidcStateDataFormatterCache(); //Add this line
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
// ...
})
You may check these similar References for more details :
Sign-in with External Identity Providers — IdentityServer4 1.0.0 documentation
(Or)
See section : 22.4 Handling the callback and signing in the user in IdentityServer4 Documentation
At least check for dns or firewall issues .

Azure AD B2C. ROPC flow error The application associated with client id has no registered redirect URIs

The application associated with client id 09ac92da-a796-4cd9-973b-c97756____ has no registered redirect URIs
Description
I followed the steps described in https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?tabs=applications.
When attempting to obtain the token in Postman using ROPC I'm getting
{
"error": "invalid_request",
"error_description": "AADB2C90007: The application associated with client id '09ac92da-a796-4cd9-973b-c97756____' has no registered redirect URIs.\r\nCorrelation ID: e85003c3-cfd5-43ad-a74b-efa5c1ea6525\r\nTimestamp: 2019-12-06 19:47:42Z\r\n"
}
I should not be asked for a redirect URIs.
My POST is as follows:
URL: ''https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_ROPC_Auth"
username: some_username_of_a_user
password: its-password
grant_type: password
scope: openid offline_access 09ac92da-a796-4cd9-973b-c97756____
client_id: 09ac92da-a796-4cd9-973b-c97756____
response-type: token id_token
I didn't reproduce your issue by following this document. Here are the main steps for your reference.
1.Create a resource owner user flow
2.Register an application(It is an application under Azure AD B2C, not Azure AD)
3.Test the user flow
This error generally occurs because you still need to configure some application claims in the b2c directory user flow to allow complete access to the application.
You need to make sure that the right versions of the authentication are in the reply url (likely extension v2.0) and that the reply URL is configured in the application and in the code.
Please look to the documentation for the reply URL schema that you would need to follow: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications#register-a-web-application
If you still run into this issue let me know and I can reach out to the correct product team contacts, as sometimes this can happen due to breaking changes on our end.

Cannot find HybridAuth redirect URL settings

Not a duplicate of Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
This issue is about CakePHP sending the wrong URL. It is fully understood why Facebook doesn't like the URL, not clear how to fix it in CakePHP
Trying to use this HybridAuth plugin for Cakephp, everything seems to be working except the redirect URL has http, which facebook does not like. I need to make it https. I cannot figure out how to manipulate this value.
https://www.facebook.com/v2.12/dialog/oauth?auth_type=rerequest...redirect_uri=http%3A%2F%2Fwww.example.com%2Fhybrid-auth%2Fendpoint%3Fhauth_done%3DFacebook&scope=email%2Cpublic_profile
Which gives me this error, which makes sense:
URL Blocked: This redirect failed because the redirect URI
is not whitelisted in the app’s Client OAuth Settings. Make
sure Client and Web OAuth Login are on and add all your app
domains as Valid OAuth Redirect URIs.
I've been trying to fix this for about two hours. I've tried setting
'hauth_return_to' => [
'controller' => 'Lookings',
'action' => 'find',
'prefix' => false,
'plugin' => false,
'_ssl' => true
]
in the AppController authenticate settings for HybridAuth, which doesn't seem to do anything. Also tried a lot of random things around the internet that just seemed to break more things. I'm a bit lost now.
New update
I have tracked this URL's origin as far as the loginBegin method in hybridauth/Hybrid/Providers/Facebook.php, and it's in $this->params['login_done']; though I'm uncertain now where this is being set.
Old update
Updating the Appcontroller authenticate settings still doesn't seem to affect this particular URL no matter what I do. I believe this setting is related to the "URL Login done" redirect URL, and my issue is with the "URL Start login" URL, though I'm not entirely certain.
Add the 'base_url' property to the HybridAuth object in /config/hybridauth.php to manually set the base URL.
Additionally, it appears that base_url is create using $_SERVER['HTTPS'], which is apparently not set to true in my current environment. This can be found in the login method of the Hybrid_Provider_Adapter class.
Addressing either of those issues should fix the problem.

IdentityServer4 oidc-client error - authority mismatch on settings vs. signin state

I have an IdentityServer4 and C# .NET Core web application behind an NGINX reverse proxy:
https://id.local.domain -> http://id-local
https://web.local.domain -> http://web-local
I can get to and enter my credentials on the ID4 login page, but after being redirected back to my /account/callback page from ID4, the following JavaScript error appears:
Error: authority mismatch on settings vs. signin state
Is this a problem with my oidc call, the NGINX + ID4 setup, or something else? I have tried using:
services.AddIdentityServer(options =>
{
options.PublicOrigin = "https://id.local.domain";
…
Is that the correct URL to enter? Do I need to use options.IssuerUri instead of/as well?
the identity server will not accept or allow clients only if the config sent from the clients match with its config
same Redirect Urls
same ClientID
same ClientRoot (client base url have to be allowed in cors)

Resources