I have been trying to integrate ADAL into my AngularJS SPA app by leveraging the AAD application configuration info from the .NET sample app and cannot get it to authenticate. I get a 404 every time.
The sample app instructions are as follows:
Step 2: Register the sample with your Azure Active Directory tenant
Sign in to the Azure management portal.
Click on Active Directory in the left hand nav.
Click the directory tenant where you wish to register the sample application.
Click the Applications tab.
In the drawer, click Add.
Click "Add an application my organization is developing".
Enter a friendly name for the application, for example "SinglePageApp-DotNet", select "Web Application and/or Web API", and click next.
For the sign-on URL, enter the base URL for the sample, which is by default https://localhost:44326/.
For the App ID URI, enter https://<your_tenant_name>/SinglePageApp-DotNet, replacing <your_tenant_name> with the name of your Azure AD tenant.
All done! Before moving on to the next step, you need to find the Client ID of your application.
While still in the Azure portal, click the Configure tab of your application.
Find the Client ID value and copy it to the clipboard.
Step 3: Enable the OAuth2 implicit grant for your application
By default, applications provisioned in Azure AD are not enabled to use the OAuth2 implicit grant. In order to run this sample, you need to explicitly opt in.
From the former steps, your browser should still be on the Azure management portal - and specifically, displaying the Configure tab of your application's entry.
Using the Manage Manifest button in the drawer, download the manifest file for the application and save it to disk.
Open the manifest file with a text editor. Search for the oauth2AllowImplicitFlow property. You will find that it is set to false; change it to true and save the file.
Using the Manage Manifest button, upload the updated manifest file. Save the configuration of the app.
Step 4: Configure the sample to use your Azure Active Directory tenant
Open the solution in Visual Studio 2013.
Open the web.config file.
Find the app key ida:Tenant and replace the value with your AAD tenant name.
Find the app key ida:Audience and replace the value with the Client ID from the Azure portal.
Open the file App/Scripts/App.js and locate the line adalAuthenticationServiceProvider.init(.
Replace the value of tenant with your AAD tenant name.
Replace the value of clientId with the Client ID from the Azure portal.
When I configure my app it looks like this:
adalProvider.init(
{
instance: 'https://login.microsoftonline.com/',
tenant: 'http://mytenantname.onmicrosoft.com',
clientId: '000000000-583f-4218-b410-28c2acf00000',
extraQueryParameter: '12345',
},
$httpProvider
);
However, when I try to authenticate I always get a 404 response that my app is not recognized. Any idea what is wrong here?
The problems are in the tenant value:
The tenant property needs to be a URN, not a URL, so it should not include the 'http://'.
You have to include the application name at the end of the URN to uniquely identify the application within the directory.
Try that and see if it works.
Related
I am trying to add Active Directory Authentication to my Azure App Service.
The AD I am using is in a different tenant to the App Service so I need to use Advanced Settings instead of Express (where it creates things for you).
One of the fields is "Issuer Url" and the pop up help says
"Issuer URL for your Active Directory, TenantId of your Active
Directory can be obtained by PowerShell command Get-AzureAccount or by
browsing to your Directory from the management portal"
Where do I find the "Issuer Url" in the portal?
On the App registrations page, click on the Endpoints button at the top, then copy the WS-FEDERATION SIGN-ON ENDPOINT URL but remove the /wsfed ending from the URL. The end result should look like https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000. The domain name may be different for a sovereign cloud. This will serve as the Issuer URL.
I am trying to configure Azure AD B2C as auth provider to Salesforce. I followed the instructions in http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg (instead of google used Azure AD B2C).
When I click on the test-only initialization URL I get the following error
My B2C set up is very basic. I just have an email provider and an out-of-the-box sign-in sign-up policy.
Any help will be greatly appreciated.
I'm late to the party but I wanted to post here in case anyone else can use this information. We followed the below steps with an ordinary Custom Policy returning a JWT token. Notice steps 4-5 under Create an Azure AD B2C Application and step 8 under Configure Salesforce Auth. Provider, these will pull back an Access Token from Azure AD B2C.
Create an Azure AD B2C Application
Log into the Azure AD B2C instance you wish to connect to.
Go to Applications. Click + Add.
Add https://www.salesforce.com as a Reply URL. Click Create.
Select the new app you just created. Save the Application ID.
Click Published Scope. Add read as a scope. Click Save.
Save the Full Scope Value.
Click API access. Click + Add. Under Select API, select the name of the application. Under Select Scopes, ensure read and user_impersonation are selected.
Click OK. Select Keys from the left nav. Click + Generate key. Click Save.
Check the value of the generated App key. If it contains “/”, “?”, “&”, or “%” (there may be more invalid characters), delete the generated key and repeat steps 8 and 9 until a valid key is generated. Save the valid key.
Configure Salesforce Auth. Provider
Log into Salesforce. Go to Setup. In the Quick Find box, type Auth. Select Auth. Providers.
Click New.
Under Provider Type, select Open ID Connect.
Add an informative Name. This will be displayed to users as an option when signing in. Salesforce will generate a URL Suffix.
Place the Application ID, from Step 4 of “Create an Azure AD B2C Application”, in Consumer Key. Place the App key, from Step 9 of “Create an Azure AD B2C Application”, in Consumer Secret.
Retrieve the OpenID Connect discovery endpoint of the Azure AD B2C Custom Policy you wish to integrate with. This discovery endpoint can be found at https://{tenant-id}.b2clogin.com/{tenant-id}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-id}.
Use the authorization_endpoint field in the discovery endpoint as the Authorize Endpoint URL in Salesforce. Use the token_endpoint field in the discovery endpoint as the Token Endpoint URL in Salesforce. Use the issuer field in the discovery endpoint as the Token Issuer in Salesforce.
Place the Full Scope Value, from Step 6 of “Create an Azure AD B2C Application”, in Default Scopes. Add “ read” to the end. (The final value should look something like this: https://{tenant-id}.onmicrosoft.com/{application-name}/read openid)
For Registration Handler, follow Step 11 from these directions: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5
a. Note, in case that link changes. You can create a new Registration Handler using the code in this GitHub repository: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls. You may need to add u.CompanyName = 'CompanyName'; in the prepareUserData method.
Pause here, we’ll come back from Token Issuer.
Setup a Dummy User Info Endpoint
Salesforce requires a User Info endpoint. Azure AD B2C does not provide one. You can use the code in this GitHub repository to create a version of a user info endpoint: https://github.com/azure-ad-b2c/samples/tree/master/policies/user-info-endpoint
This code will only return the claims present on the user’s token. We settled on modifying the code to run in an Azure Function.
Whatever your solution, you should end up with a REST endpoint. Place that REST endpoint in the User Info field of the Auth. Provider in Salesforce.
Click Save.
Authorize the Callback URL in Azure AD B2C Application
Click on the Auth Provider configured in the above steps.
Under Salesforce Configuration, save the Single Logout URL.
Expand Communities and save the Callback URL of the Community in which you want to enable SSO.
Return to Azure AD B2C. Navigate to App registrations (Preview). Click All applications.
Select the application created in “Create an Azure AD B2C Application”. Click Authentication.
Click Add URI. Add the Callback URL from Step 3. Update the Logout URL with the Single Logout URL from Step 2. Click Save.
Are you able to test this login endpoint in your terminal using curl, to ensure it is returning the token?
curl -v https://<Azure login endpoint> -d "grant_type=password" -d "username=user#login.demo" -d "password=password"
You may need to add additional parameters to the curl command for Azure (perhaps add a client id & client secret?
Using adal.js v1.0.17 and Web API via JavaScript.
Running a custom tab within Microsoft Teams and getting this error when trying to authenticate.
Looked at the app registration within Azure portal and not seen anything there that could help. Tried to edit the manifest file and change the value of oauth2AllowImplicitFlow to true but still getting error.
Found the solution.
Need to access the Azure portal using Chrome.
Go to Azure Active Directory and choose App Registrations (Preview).
Open up the app registration and choose Authentication on the left.
Under Advanced Settings, Implicit grant check the box "ID tokens".
That will add the property oauth2AllowIdTokenImplicitFlow to the manifest file with the value set to "true".
you can try by enabling the 'ID Token'
I am running a Dot Net web application on App Service in an Azure subscription.
My application uses Azure B2C with an Azure Active Directory for user authentication.
Users are redirected from my application's base URL to the B2C login page, which has been customised to show the company logo.
Now, I'll need to point a second domain to the same application, and when users hit the application through that domain, I will need the login page to display a completely different logo. The choice of the logo is not based on language or location. It is purely based on the domain the user used to get to the application in the first place.
I see the Branding option is at the AD level, not at the B2C level. Therefore, all B2C applications registered under the same AD will be sharing the same login page.
AD only seems to allow me to create additional login page customisations based on language/region pairs.
Is there any way I can have multiple customised login pages using the same AD?
I would be willing to register multiple B2C applications and redirect users to the login page with different application Ids if necessary. I could change my code to identify the domain the user used to get to the application and then use the correct Id, but I couldn't find a way to have different login page customisations for different B2C applications under the same AD.
Following on from the previous answer by #Sunny, you can select the custom page UI based on any of the authentication request parameters, using a custom policy.
Example 1: Select on the standard "client_id" parameter
This following content definition loads the custom page UI where the client_id parameter is part of the URL path to the page resource:
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://somewhere.com/{OIDC:ClientId}/signuporsignin.html</LoadUri>
</ContentDefinition>
Example 2: Select on a non-standard "brand" parameter
This following content definition loads the custom page UI where the brand parameter is part of the URL path to the page resource:
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://somewhere.com/{OAUTH-KV:brand}/signuporsignin.html</LoadUri>
</ContentDefinition>
The main advantage of including parameters as parts of the URL paths to the page resources is that these page resources can be deployed to a storage service, such as Amazon S3 or Azure Storage, where this storage service doesn't support a query string parameter that is described by the "Step 8: Add dynamic content" section in the "Azure Active Directory B2C: Configure the UI with dynamic content by using custom policies" document.
The Azure AD B2C tenant represents a collection of identities to be used with relying party applications, it can use Customize UI dynamically to configure the identity provider selection page for sign in or sign up, but what you want to configure is just for the different Azure AD tenant, all of them are considered as one same kind identity provider in the Azure AD B2C,it cannot make this like the Company Branding in Azure AD.
We are using Azure AD as identity provider for our SAML SSO enabled application. If we add a new application to azure directory from gallery option, it doesn't show me 'Manage manifest' option. While we add a new app by selecting 'Add an appplication my organization is developing' it shows that option in the bottom.
As a result, we unable to set logout url for application and when we perform a logout for that application, it doesn't redirect back to out service provider application.
Thanks,
Mitesh J.
At this point in time, applications added by selecting 'Add an application my organization is developing' and applications added by selecting 'Add an application from the gallery' have several differences including the ability to edit the manifest, which is only present in the former.
However, you can still set up redirect URIs for both. As you noted, in 'application my organization is developing', you can do that by editing the manifest or via the Configure page.
For 'application from the gallery', you can set up a redirect URI by:
Select the application in the Azure AD page of the classic Azure Management portal.
Click on Configure single sign-on
Select Microsoft Azure AD Single Sign-On
In the Configure App Settings, check the Show advanced settings (optional) checkbox.
Set the Reply URL (optional)