Here is the documentation for adding a new member to a project—pretty simple.
However, when I add a new member to the project, I get an error:
Error
The specified invitation was not found.
The member I'm adding is an alias account. When I say alias account I mean my main account (username#gmail.com) owns the project, and I'm trying to add a different email that I own (me#mydomain.com). me#mydomain.com is a sub account of username#gmail.com.
When I click the confirmation link, first I have to type in me#mydomain.com's password, then I am redirected to type in username#gmail.com's password, and finally I am redirected to the project where I get the ugly error staring me in the face.
I would be talking with google right now if I could, but I'm a bronze member…
This answer explains that if I want to change the email that displays on the oauth permissions screen, I need to add the email to the project. I'm trying to add the email to the project so I can display me#mydomain.com instead of username#gmail.com on the oauth permissions screen.
Looks like it isn't possible:
Because multiple sign-in is not supported, you will access Google Developers as your default account, username#gmail.com.
It is possible if you don't use sub-accounts! I got it working!
Instead of having me#mydomain.com as a sub-account of username#gmail.com, I had to remove me#mydomain.com from username#gmail.com, then create a new completely separate google account for me#mydomain.com. After doing that, everything was a cinch!
Related
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
I'm currently trying to integrate with Azure AD using the admin consent flow.
I've set up an app in our domain, set a few permissions on it and am then navigating to the following link:
https://login.microsoftonline.com/mytestdomain.onmicrosoft.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789012&response_type=code&redirect_uri=http://example.com/responsehandler&resource=12345678-1234-1234-1234-123456789012&prompt=admin_consent&state=12345
(Some of the values here have been swapped out for "example" values)
When I navigate there I get asked to sign in, which I do using a different test domain into which I want to import the app.
After signing in I'm shown a list of all the permissions that the app needs (which appear to be correct), I click accept but then I get the following error:
AADSTS90002: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID.
I'm not sure where this empty GUID is coming from and after some searching I can't find any reference to what might be causing it.
Daniel Camargo's comment above seems to have done the trick.
When I navigated to the login.microsoftonline.com link I was logging in with the user that created the domain.
If I log in with a test admin user that I created it works as I'd want.
I am not convinced that we had exactly the same problem, given that my case was involving a Cordova application, but I will share my scenario anyway:
I created a trial account for my proof of concept and for that I used my personal Microsoft account that I will call mypersonalaccount#outlook.com.
Thus, mypersonalaccount#outlook.com is now part of 2 directories: the outlook.com and my recently created mypersonalaccount.onmicrosoft.com.
When I was trying to authenticate in my Oauth2 application using mypersonalaccount#outlook.com I got that error. My humble guess is that the error is related to some sort of collision between the 2 accounts.
I later created a user1#mypersonalaccount.onmicrosoft.com and a guest account using my gmail account. Everything worked fine with these ones.
Was having the same problem, and the same after 1 week of work by the azure team, was solved.
My problem was being trying to log in to VSTS with AAD accounts.
I've been working with the Azure B2C for a couple of days now and have a few issues and questions:
Url that it creates to redirect for login is formed incorrectly. It contains a question mark twice - after the url, and again after the profile name. This causes a 404 not found error every time you login, log out, etc. For example, the URL it tries to redirect to for login looks like this: https://login.microsoftonline.com/samlmanbc.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_firstdemoprofile?client_id=08fcblahblah. You'll notice a second question mark after the profile name, and that's what breaks it.
If I fix that and try and log in, it doesn't recognize the username / password of my account that's a global admin. It DOES recognize the username / password of a new user I created locally in the directory.
In the OnRedirectToIdentityProvider method, when the request type is authentication, the AuthenticationResponseChallenge is null, which makes this call fail:
OpenIdConnectConfiguration config = await mgr.GetConfigurationByPolicyAsync(CancellationToken.None, notification.OwinContext.Authentication.AuthenticationResponseChallenge.Properties.Dictionary[Startup.PolicyKey]);
I worked around this by using the static string SignInPolicyId for the second parameter. That works fine when an account already exists, but if it doesn't then Azure fails at login and says an account doesn't exist for the user. So what is the right value to use there, and/or how does one initialize it so it isn't null?
The type of a claim that was added to a profile is preceded with "extension_"; is that always going to be true or just for now? For example, I added a property called "favoriteTeam", but the claim type for it is "extension_favoriteTeam".
When you use FaceBook as an identity provider, is there any way to pass along the Facebook access token claim (http://www.facebook.com/claims/AccessToken)? This was useful when using ACS with Facebook because your app can then use that token to make additional calls to Facebook to get data from it.
In relation to issue 1 - I updated my reference Microsoft.IdentityModel.Protocol.Extensions to v1.0.2.206221351 and it started working. I made some updates to other references before this, so if the first one doesn't work, try updating more assemblies from nuget.
This is as expected. A page that signs in "local account" users will not sign in your work or school account (in this case, the global admin user).
Always going to be true. We will be cleaning up the Admin UX to make this more clear.
This is on our roadmap. No ETA as yet.
I'm having trouble understanding how to add administrators to my app. Of course, as the creator of the app, my account is an administrator. To add another, I go to the Administration Console, and click on Permissions in the sidebar. There's no option on that page to add an admin, but it offers a link to the "new Permissions page." On that page, I can add another account as an owner, but when I log in as that account, my app isn't visible in the Administration Console, and that account fails the programmatic users.is_current_user_admin() test.
Is App Engine just being buggy, or am I missing something?
You have first visited the old appengine console's permission page (https://appengine.google.com/permissions). Google removed the add member functionality from this page.
When you clicked the "Try the new Permissions page.", It will redirect to new appengine console(https://console.developers.google.com/project/your-appid/permissions). In this page, You can add new members to your application with permission is owner or Can edit or Can view. Once you add a member, Google will send the invitation to the member. They need to accept it. You can view the status from the same page. If the member is not accepted the invitation yet, You can see the status as "Invitation sent. Waiting for response."
Once they accept the invitation, Member can able to access your application.
I have configured my first application in Windows Azure Active Directory and everything works fine: I can login using accounts in my directory.
However, I'm not entirely clear on all the concepts yet, especially the sign-on url. The tooltip says:
The URL where users can sign in and use your app. You can change this later.
But users sign in somewhere on login.windows.net and furthermore, it doesn't matter what I enter here, authentication keeps working. So what is this 'sign-on url'?
If you visit http://aka.ms/myapps, you'll find a long list of applications that have access to your account. If you click on these apps, you should be redirected to a home page where the sign-in process could be initialized. However, if the app doesn't declare a signInUrl in its manifest, you'll get an error that says the app is misconfigured.
something went wrong...
You cannot access this application because it has been misconfigured. Contact your IT department and include the following information:
Undefined Sign-On URL for application "BlahBlahBlah"
In the new Azure portal UI, the "SIGN-ON URL" is now called "Home page URL", which you can find under Branding in the app registration configuration.
I can see why this may be confusing. I think you can look at this as the URL where the whole sign-in process starts (i.e. your app's URL, which, if they're not logged in, will sends them to login.windows.net).
Also, even if for now you might be able to enter anything and authentication still works, I'd try to make it point to the right place just in case things change in the future.
It appears to me that It has significance with respect to wsFederation realm value when user sign out and redirected to Active directory sign in page.
When you add your application to azure ad, it gives you client id and key. When you use that in MVC webappp, you will see that there is an entry like below in web.config:
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://login.windows.net/{some guid}/wsfed" realm="https://localhost:44304/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
Copy the value of user to sign-on url.