I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
Here is my template segment for these settings. It is nested under resources in my website template.
root > Microsoft.Web/Site > Resources
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
Template Validates
Deployment does not output any errors
Issues:
unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
allowedAudiences is not assigned any sites
What could be causing these issues? What could I have missed?
I got my answer after working with the fine people at Azure Support.
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.
The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.
Updated ARM Template (removed other settings for brevity)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
As suggested by #Michael, the siteAuthSettings object must be added to the siteConfig object, not just under the root properties object.
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
The other solutions given only apply when using the classic authentication experience (Authentication (Classic)). If you would like to use the new authentication experience, use below configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}
Related
Cannot authenticate user in MS Teams Bot.
Same works in "Test in webchat" properly:
Domain added to Teams manifest properly:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.15/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.15",
"id": "a0d93a07-2f63-4569-a651-cf3761859b28",
"packageName": "com.package.name",
"name": {
"short": "NewTest",
"full": ""
},
"developer": {
"name": "KUKA",
"mpnId": "",
"websiteUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_about.html",
"privacyUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_priv.html",
"termsOfUseUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_terms.html"
},
"description": {
"short": "CS Logistics TEST app",
"full": "test app for CS Logistics"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "conversations",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"bots": [
{
"botId": "99e82921-96c9-4ec1-83ab-bd05382abc96",
"scopes": [
"personal"
],
"isNotificationOnly": false,
"supportsCalling": false,
"supportsVideo": false,
"supportsFiles": true
}
],
"validDomains": [
"token.botframework.com"
],
"webApplicationInfo": {
"id": "1e04e5cd-88e1-4522-984d-2bba5e2d37eb",
"resource": "https://graph.microsoft.com/"
}
}
Also recreated AppService, AzureBot in Azure, and setup new Teams app with new manifest version via Developer Portal.
Installed the Teams app directly just form myself, as a personal app.
App registration redirect URIs:
Also the app registration works fine for other chatbots in our domain. Why not for this one?
Actually the only thing that needed to be changed was to add this line of code to the error handler adapter to the bot code: base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"]));Add code to handle an access token.
And also to add method OnTeamsSigninVerifyStateAsync to Bot like in sso-quickstart sample.
I am trying to check the last status of an ECS task, if it is STOPPED then it has to trigger lambda using cloudwatch event. I am getting below error message while validating the JSON event.
Error message:
Event pattern contains invalid element (can only be Strings enclosed in quotes, numbers, and the unquoted keywords true, false, and null)
**Code**:
{
"source": [
"aws.ecs"
],
"detail-type": [
"ECS Task State Change"
],
"detail": {
"clusterArn": [
"arn:aws:ecs:us-west-2:17025:cluster/ecs-w2"
],
"lastStatus": [
"STOPPED"
],
"overrides": {
"containerOverrides":
{
"environment":
{
"name": ["job_grp_nm"],
"value": ["QA_INTEGRATION"]
},
{
"name": ["secrets_targetdb"],
"value": ["7034908/Snowflake/facilitiesNDI/QA"]
},
"name": ["suite-dev"]
}
}
}
}
Please let me know what's wrong with the code.
There are two things wrong:
The values should be expressed as array of string, e.g. ["value"]
Your environment can be an array of objects.
So it should be:
{
"source": [
"aws.ecs"
],
"detail-type": [
"ECS Task State Change"
],
"detail": {
"clusterArn": [
"arn:aws:ecs:us-west-2:17025:cluster/ecs-w2"
],
"lastStatus": [
"STOPPED"
],
"overrides": {
"containerOverrides":
{
"environment":
{
"name": ["job_grp_nm"],
"value": ["QA_INTEGRATION"]
},
"name": ["suite-dev"]
}
}
}
}
The above should be accepted, but I can't verify if this will correctly match your event.
I am trying to add registrationConfig for my CA certificate in AWS IoT. I would like to do some manipulation of data for Thing attributes. But I can't seem to get that JITP to work if the template body has Fn::Join in it.
Following are extract of the template body (string unescaped for reading purpose)
NOT working:
"Resources": {
"thing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": {
"Ref": "AWS::IoT::Certificate::CommonName"
},
"ThingTypeName" : "w2-device",
"ThingGroups" : ["w2-devices"],
"AttributePayload": {
"location": {
"Fn::Join":["",["ThingPrefix_",{"Ref":"SerialNumber"}]]
},
"organization": {
"Ref": "AWS::IoT::Certificate::Organization"
},
"version": "w2",
"country": {
"Ref": "AWS::IoT::Certificate::Country"
}
}
}
},
In the above when I have Fn::Join in AttributePayload/location it fails to create the Thing during JITP. I don't see any errors in CloudWatch either.
Working:
"Resources": {
"thing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": {
"Ref": "AWS::IoT::Certificate::CommonName"
},
"ThingTypeName" : "w2-device",
"ThingGroups" : ["w2-devices"],
"AttributePayload": {
"location": {
"Ref": "AWS::IoT::Certificate::StateName"
},
"organization": {
"Ref": "AWS::IoT::Certificate::Organization"
},
"version": "w2",
"country": {
"Ref": "AWS::IoT::Certificate::Country"
}
}
}
},
Note: I have also asked this in aws forum but without any answer there yet.
Provisioning templates for JITP define a set of parameters beginning with AWS::IoT::Certificate.
The AWS::IoT::Certificate::SerialNumber parameter should be used instead of just SerialNumber in the attribute payload. e.g.
"AttributePayload": {
"location": {
"Fn::Join":["",["ThingPrefix_",{"Ref":"AWS::IoT::Certificate::SerialNumber"}]]
},
https://docs.aws.amazon.com/iot/latest/developerguide/jit-provisioning.html lists the defined parameters for JITP as:
AWS::IoT::Certificate::Country
AWS::IoT::Certificate::Organization
AWS::IoT::Certificate::OrganizationalUnit
AWS::IoT::Certificate::DistinguishedNameQualifier
AWS::IoT::Certificate::StateName
AWS::IoT::Certificate::CommonName
AWS::IoT::Certificate::SerialNumber
AWS::IoT::Certificate::Id
The SerialNumber examples in the AWS documentation (without the AWS::IoT::Certificate prefix are used for the Bulk Registration process.
Does anybody know how to setup ARM Template to keep "Allow access to Azure services" switch be turned OFF by default?
Here is what I currently have
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('location')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "[parameters('serverVersion')]"
},
"tags": {
"deploymentVersion": "[parameters('deploymentVersion')]",
"deploymentType": "[parameters('deploymentType')]"
},
"resources": [
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
}
]
} ]
Just modify endIpAddress and startIpAddress to 255.255.255.255. Like below:
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "255.255.255.255"
},
"type": "firewallrules"
}
Just remove the nested resources section. Then the sql will deploy without that checkmark. Redeploying won't remove the rule, but deploying a new sql will work.
My experience is when you use the name AllowAllWindowsAzureIps for a firewall resource type then it will ignore what range you specifiy in properties and just turn Allow Access to Azure Services flag on.
If you want to not have it enabled then don't include a resource with that name in your template.
Here is a bicep example:
resource sqlServer 'Microsoft.Sql/servers#2022-02-01-preview' = {
name: name
location: location
tags: tags
properties: {
administratorLogin: sqlAdministratorLogin
administratorLoginPassword: sqlAdministratorLoginPassword
version: '12.0'
}
}
resource allowAccessToAzureServices 'Microsoft.Sql/servers/firewallRules#2020-11-01-preview' = {
name: 'allow-access-to-azure-services'
parent: sqlServer
properties: {
startIpAddress: '0.0.0.0'
endIpAddress: '0.0.0.0'
}
}
I'm working with couchbase lite .net sdk, and I got a example from below url.
and my configuration file is like below.
{
"log": ["HTTP+"],
"adminInterface": "0.0.0.0:4985",
"interface": "0.0.0.0:4984",
"databases": {
"db": {
"server": "walrus:data",
"bucket": "todo",
"users": {
"GUEST": {"disabled": false, "admin_channels": ["*"] }
}
}
}
}
when I run the wpf app, I'm getting error like below image.
image
Please help me, I'm not sure how to implement couchbase sync gateway.
I fixed the issue.
I add shadow property to configuration json file.
You can read more information from these links.
https://groups.google.com/forum/#!topic/mobile-couchbase/NWd8xqPOjsc
https://github.com/couchbase/sync_gateway/wiki/Bucket-Shadowing
{
"interface": ":4984",
"adminInterface": ":4985",
"log": [ "*" ],
"databases": {
"sync_gateway": {
"server": "walrus:",
"bucket": "sync_gateway",
"users": {
"GUEST": {
"disabled": false,
"admin_channels": [ "*" ]
},
"user": {
"admin_channels": [ "*" ],
"password": "user"
}
},
"sync": `function(doc){ "channel(doc.channels); }`,
,
"shadow": {
"server": "http://couchbase-dev.thisisdmg.com:8091",
"bucket": "sales_agent"
}
}
}
}