Develop Reference

Not able to signin to a WebForms using ITFoxtec

Have tried to use ITFoxtec in my webform application but getting an error as below when I click on Login. I have registered the app in my default directory of my Azure AD.
<appSettings> <add key="Saml2:Issuer" value="urn:itfoxtec:identity:saml2:testwebapp" /> <add key="Saml2:SingleSignOnDestination" value="https://test-adfs.itfoxtec.com/adfs/ls/" /> <add key="Saml2:SingleLogoutDestination" value="https://test-adfs.itfoxtec.com/adfs/ls/" /> <add key="Saml2:SignatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <add key="Saml2:CertificateValidationMode" value="None" /></appSettings> This I have added in the web.config

I think you need an administrator to consent/approve your application in Azure AD.
The config in the question looks like the sample config, and not the config you are using.

'Preauthorization missing.' error when trying to get Access Token from Outlook AddIn

I am making an Outlook add-in in React and when trying to get the access token from OfficeRuntime, I get the following error:
This is the method I am trying to run:
var bootToken = OfficeRuntime.auth.getAccessToken({
allowSignInPrompt: true
});
This is the error in the browser console:
OSF.DDA.Error {name: 'Preauthorization missing.', message: 'Missing grant for this add-in.', code: 13005} code: 13005 message: "Missing grant for this add-in." name: "Preauthorization missing."
This is my manifest.xml file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OfficeApp xmlns="http://schemas.microsoft.com/office/appforoffice/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bt="http://schemas.microsoft.com/office/officeappbasictypes/1.0" xmlns:mailappor="http://schemas.microsoft.com/office/mailappversionoverrides/1.0" xsi:type="MailApp">
<Id>{AppId}</Id>
<Version>1.0.0.0</Version>
<ProviderName>Signator</ProviderName>
<DefaultLocale>en-US</DefaultLocale>
<DisplayName DefaultValue="Signator Demo"/>
<Description DefaultValue="Signator demo"/>
<IconUrl DefaultValue="https://localhost:3000/assets/icon-64.png"/>
<HighResolutionIconUrl DefaultValue="https://localhost:3000/assets/icon-128.png"/>
<SupportUrl DefaultValue="https://www.contoso.com/help"/>
<AppDomains>
<AppDomain>https://www.contoso.com</AppDomain>
</AppDomains>
<Hosts>
<Host Name="Mailbox"/>
</Hosts>
<Requirements>
<Sets>
<Set Name="Mailbox" MinVersion="1.1"/>
</Sets>
</Requirements>
<FormSettings>
<Form xsi:type="ItemRead">
<DesktopSettings>
<SourceLocation DefaultValue="https://localhost:3000/taskpane.html"/>
<RequestedHeight>250</RequestedHeight>
</DesktopSettings>
</Form>
</FormSettings>
<Permissions>ReadWriteItem</Permissions>
<Rule xsi:type="RuleCollection" Mode="Or">
<Rule xsi:type="ItemIs" ItemType="Message" FormType="Read"/>
</Rule>
<DisableEntityHighlighting>false</DisableEntityHighlighting>
<VersionOverrides xmlns="http://schemas.microsoft.com/office/mailappversionoverrides" xsi:type="VersionOverridesV1_0">
<Requirements>
<bt:Sets DefaultMinVersion="1.3">
<bt:Set Name="Mailbox"/>
</bt:Sets>
</Requirements>
<Hosts>
<Host xsi:type="MailHost">
<DesktopFormFactor>
<FunctionFile resid="Commands.Url"/>
<ExtensionPoint xsi:type="MessageReadCommandSurface">
<OfficeTab id="TabDefault">
<Group id="msgReadGroup">
<Label resid="GroupLabel"/>
<Control xsi:type="Button" id="msgReadOpenPaneButton">
<Label resid="TaskpaneButton.Label"/>
<Supertip>
<Title resid="TaskpaneButton.Label"/>
<Description resid="TaskpaneButton.Tooltip"/>
</Supertip>
<Icon>
<bt:Image size="16" resid="Icon.16x16"/>
<bt:Image size="32" resid="Icon.32x32"/>
<bt:Image size="80" resid="Icon.80x80"/>
</Icon>
<Action xsi:type="ShowTaskpane">
<SourceLocation resid="Taskpane.Url"/>
</Action>
</Control>
</Group>
</OfficeTab>
</ExtensionPoint>
</DesktopFormFactor>
</Host>
</Hosts>
<Resources>
<bt:Images>
<bt:Image id="Icon.16x16" DefaultValue="https://localhost:3000/assets/icon-16.png"/>
<bt:Image id="Icon.32x32" DefaultValue="https://localhost:3000/assets/icon-32.png"/>
<bt:Image id="Icon.80x80" DefaultValue="https://localhost:3000/assets/icon-80.png"/>
</bt:Images>
<bt:Urls>
<bt:Url id="Taskpane.Url" DefaultValue="https://localhost:3000/taskpane.html"/>
</bt:Urls>
<bt:ShortStrings>
<bt:String id="GroupLabel" DefaultValue="Signator Add-in"/>
<bt:String id="TaskpaneButton.Label" DefaultValue="Show Taskpane"/>
</bt:ShortStrings>
<bt:LongStrings>
<bt:String id="TaskpaneButton.Tooltip" DefaultValue="Opens a pane displaying all available properties."/>
</bt:LongStrings>
</Resources>
<VersionOverrides xmlns="http://schemas.microsoft.com/office/mailappversionoverrides/1.1" xsi:type="VersionOverridesV1_1">
<Requirements>
<bt:Sets DefaultMinVersion="1.3">
<bt:Set Name="Mailbox"/>
</bt:Sets>
</Requirements>
<Hosts>
<Host xsi:type="MailHost">
<DesktopFormFactor>
<FunctionFile resid="Commands.Url"/>
<ExtensionPoint xsi:type="MessageReadCommandSurface">
<OfficeTab id="TabDefault">
<Group id="msgReadGroup">
<Label resid="GroupLabel"/>
<Control xsi:type="Button" id="msgReadOpenPaneButton">
<Label resid="TaskpaneButton.Label"/>
<Supertip>
<Title resid="TaskpaneButton.Label"/>
<Description resid="TaskpaneButton.Tooltip"/>
</Supertip>
<Icon>
<bt:Image size="16" resid="Icon.16x16"/>
<bt:Image size="32" resid="Icon.32x32"/>
<bt:Image size="80" resid="Icon.80x80"/>
</Icon>
<Action xsi:type="ShowTaskpane">
<SourceLocation resid="Taskpane.Url"/>
</Action>
</Control>
</Group>
</OfficeTab>
</ExtensionPoint>
</DesktopFormFactor>
</Host>
</Hosts>
<Resources>
<bt:Images>
<bt:Image id="Icon.16x16" DefaultValue="https://localhost:3000/assets/icon-16.png"/>
<bt:Image id="Icon.32x32" DefaultValue="https://localhost:3000/assets/icon-32.png"/>
<bt:Image id="Icon.80x80" DefaultValue="https://localhost:3000/assets/icon-80.png"/>
</bt:Images>
<bt:Urls>
<bt:Url id="Taskpane.Url" DefaultValue="https://localhost:3000/taskpane.html"/>
</bt:Urls>
<bt:ShortStrings>
<bt:String id="GroupLabel" DefaultValue="Signator Add-in"/>
<bt:String id="TaskpaneButton.Label" DefaultValue="Show Taskpane"/>
</bt:ShortStrings>
<bt:LongStrings>
<bt:String id="TaskpaneButton.Tooltip" DefaultValue="Opens a pane displaying all available properties."/>
</bt:LongStrings>
</Resources>
<WebApplicationInfo>
<Id>{AppId}</Id>
<Resource>api://localhost:3000/{AppId}</Resource>
<Scopes>
<Scope>openid</Scope>
<Scope>profile</Scope>
<Scope>offline_access</Scope>
<Scope>Files.Read.All</Scope>
<Scope>User.Read</Scope>
<Scope>email</Scope>
<Scope>access_as_user</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
</VersionOverrides>
</OfficeApp>
This is my .env file:
CLIENT_ID=6fd14366-13ed-4a8d-8563-0f89e8428f43
GRAPH_URL_SEGMENT_=/me
NODE_ENV=development
PORT=3000
QUERY_PARAM_SEGMENT=
SCOPE=access_as_user
These are my API permissions:
I also have declared a scope 'access_as_user' and generated a client secret, added all possible client apps, enabled authorization and sso and set the app to be multi tenant.
What could be the problem why do I get the error that 'Preauthorization is missing' (code 13005)?

Under Manage, select API permissions, and select Add a permission. On the panel that opens, choose Microsoft Graph, and then choose Delegated permissions. Please check your permissions and see if Files.Read.All is selected for appliation type permission and if needs to be changed to delegated.
Files.Read.All
offline_access
openid
profile
Please make sure to grant admin consent as an administrator.So please
test tenants where you have admin role and from that you can
provide all the consents. When developing, you have to grant admin
consent as described here.
Also try use this url and check to grant permissions for your app:
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
see Grant tenant-wide admin consent to an application - Azure AD | Microsoft Docs.
Please refer Outlook-Add-in-SSO /Office-Add-in-samples · GitHub
which implements an outlook-add-in-sso-aspnet that uses Office's SSO
feature to give the add-in access to Microsoft Graph data.
And check in the Authorized client applications section,
identify the applications that you want to authorize to your add-in's
web application. Each of the following IDs needs to be
pre-authorized:
for example In the Authorized client applications section, enter the following ID to pre-authorize all Microsoft Office application endpoints.
ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (All Microsoft Office application endpoints)
The ID, ea5a67f6-b6f3-4338-b240-c655ddc3cc8e pre-authorizes Office on all the following platforms.
Note :Alternatively, you can enter a proper subset of the following
IDs if for any reason you want to deny authorization to Office on some
platforms. Just leave out the IDs of the platforms from which you want
to withhold authorization.
d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office)
ea5a67f6-b6f3-4338-b240-c655ddc3cc8e (Microsoft Office)
57fb890c-0dab-4253-a5e0-7188c88b2bb4 (Office on the web)
08e18876-6177-487e-b8b5-cf950c1e598c (Office on the web)
bc59ab01-8403-45c6-8796-ac3ef710b3e3 (Outlook on the web)
For each ID, take these steps:
a. Select Add a client application button, and in the panel that
opens, set the Client ID to the respective GUID and check the box for
api://localhost:44355/$App ID GUID$/access_as_user.
b. Select Add application.
Please check these References:
Register an Office Add-in that uses SSO with the Microsoft identity platform - Office Add-ins | Microsoft Docs & create-sso-office-add-ins-nodejs.
oauth 2.0 - Error getting SSO in Outlook 365 web addin 13005. Preauthorization missing - Stack Overflow.
Another possible cause, during development, is that your add-in using Internet Explorer, and you are using a self-signed certificate. (To determine which browser is being used by the add-in, see Browsers used by Office Add-ins ).
See Troubleshoot error messages for single sign-on (SSO) - Office Add-ins | Microsoft Docs
References:
javascript - Outlook WEB Add-in execution of getAccessToken returns status code 302 - Stack Overflow
Enable single sign-on (SSO) in an Office Add-in - Office Add-ins | Microsoft Docs

Azure AD B2C generic error with LinkedIn ClaimsProvider - AADB2C90289 We encountered an error connecting to the identity provider

I have been trying to craft a UserJourney that will link a LinkedIn social account with an existing Local AAD B2C account. I have used the following as guides:
Starter Pack - LinkedIn Provider
Account Linking Policy Samples
When I configure in the Microsoft Account (which is OpenIdConnect) everything works perfectly, so I believe that I have the UserJourney parts correct.
When I attempt to use the LinkedIn OAuth2 ClaimsProvider it always fails with a generic error:
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 90f20acf-b725-405d-a3ac-120e5b559f6f
Timestamp: 2020-01-03 15:17:54Z
Things I have tried:
Connecting Application Insights in Developer Mode - there is no tracing, logging or errors aside from the information above
Creating a second LinkedIn App and switching credentials - same result
Swapping in v1 and v2 ClaimsEndpoint urls
Disabling all OutputClaimsTransformations and anything that seemed calculated - same result
Creating a policy through the Portal (not custom) which allows me to login and creates a new account in the AAD; this is not what I need it to do, but does indicate that the credentials and setup of the LI App must be ok
Tracing through network calls - I can see the response from LinkedIn being posted to https://mydomain.b2clogin.com/mydomain.onmicrosoft.com/oauth2/authresp with a code and a state argument so I assume the issue is in processing the response
As I mentioned, connecting the MSA-OIDC provider was fine, albeit that it is not OAuth2. I presume, therefore, the issue is how I have the OAuth2 connection set up, but I can't spot the problem
Here's the material parts of my ClaimsProvider:
<ClaimsProvider>
<Domain>linkedin.com</Domain>
<DisplayName>LinkedIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="LinkedIn-OAUTH-Base">
<DisplayName>LinkedIn</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="ProviderName">linkedin</Item>
<Item Key="authorization_endpoint">https://www.linkedin.com/oauth/v2/authorization</Item>
<Item Key="AccessTokenEndpoint">https://www.linkedin.com/oauth/v2/accessToken</Item>
<Item Key="ClaimsEndpoint">https://api.linkedin.com/v2/me</Item>
<!--<Item Key="ClaimsEndpoint">https://api.linkedin.com/v1/people/~:(id,formatted-name,email-address)</Item>-->
<Item Key="ClaimsEndpointAccessTokenName">oauth2_access_token</Item>
<Item Key="ClaimsEndpointFormatName">format</Item>
<Item Key="ClaimsEndpointFormat">json</Item>
<Item Key="scope">r_emailaddress r_liteprofile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="external_user_identity_claim_id">id</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="ResolveJsonPathsInJsonTokens">true</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="response_type">code</Item>
<Item Key="client_id">0</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_LinkedInSecret" />
</CryptographicKeys>
</TechnicalProfile>
<TechnicalProfile Id="LinkedIn-OAUTH-Link">
<DisplayName>Link LinkedIn</DisplayName>
<Metadata>
<Item Key="ClaimTypeOnWhichToEnable">issuers</Item>
<Item Key="ClaimValueOnWhichToEnable">linkedin.com</Item>
</Metadata>
<InputClaims />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserIdToLink" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="issuerToLink" DefaultValue="linkedin.com" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateUserIdentityToLink" />
<OutputClaimsTransformation ReferenceId="AppendUserIdentityToLink" />
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="LinkedIn-OAUTH-Base" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
<EnabledForUserJourneys>OnItemAbsenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Note: I removed the client_id value but that is set in the real version.
Note 2: Also in the real version the -Link profile is in a different file to the -Base profile, but I don't think that's material to the problem.
If someone can help me spot the problem here I'd be grateful. I'm a bit stuck at this point.

Microsoft Edge Issue - The requested resource requires user authentication

I have a website and api hosted on IIS 8.5 and lately users of the site are getting the following console error when attempting to POST data to the api when using Microsoft Edge:
HTTP401: DENIED - The requested resource requires user authentication.
(XHR)OPTIONS - http://my-local-address/api/customers/approval/post
Note: Users are authenticated by using Windows Authentication.
This occurs spontaneously and to get around the issue the users are forced to do a hard refresh (Ctrl + F5) on MS Edge and then they can continue with their process. Could there be a setting on IIS that's releasing the user authentication after a period of time?
I've listed my attempts to resolve the issue below:
I've got my organisation to add in a trusted policy for my local web address.
Changed the providers of the API. Moved NTLM above Negotiate.
Removed Negotiate based on this stackoverflow post Windows authentication failing in IIS 7.5.
Try and catch the error from the POST request but I'm returning null every time.
Configured CORS to allow for cross origin.
NB: I'm using angularjs for my front end and ASP.NET Web API 2 for the API.
The following code snippet details how the Web Api is configured:
WebApiConfig.cs
var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };
config.EnableCors(cors);
Web.config
<system.web>
<identity impersonate="true" />
<compilation debug="true" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.2" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="TRACEVerbHandler" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Angular module config using $httpProvider to supply $http requests with credentials
$httpProvider.defaults.withCredentials = true;

Active Directory Membership Provider with AD LDS

I am trying to create web app that is using ActiveDirectoryMembership with AD LDS
When I try to register a new user, or login with existing user, I am getting this error
"If either of the properties connection-username or connection-password is specified, the other must also be specified"
And I am getting a similar error when I am trying to use "ASP.NET configuration"
My web.config looks like this, and as you can see I am providing both the username and password:
<connectionStrings>
<add name="ADService" connectionString="LDAP://localhost:5000/OU=Users,O=TestDirectory"/>
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="default.aspx"/>
</authentication>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
connectionStringName="ADService"
connectionUserName="CN=ADAMAdmin,OU=Users,O=TestDirectory" connectionPassword="admin"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionProtection="None"/>
</providers>
</membership>

Typically username is in the format Domain\Username.
Additionally the property is connectionUsername not connectionUserName (note the lowercase n).

The attributes are case-sensitive. Try 'connectionUsername' instead of 'connectionUserName'.