I have SAML service provider(SP) and I want to use salesforce as a Identity provider(IdP) with my SP.
I have setup domain, Created new Connected App with saml enabled with all required details. Then downloaded metadata and used this to register on SP.
Salesforce gives me IdP initiated Login Page URL. When i visit that, it works perfectly. It redirects to saleforce login, after that sends SAML response to SP. But when I visit SP and initiate login from there which redirects to salesforce page which gives following error.
Insufficient Privileges
You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary.
I had the same issue and got fixed. Here are helpful tips.
You can check on the logs under 'Manage Users -> Identity Provider Event Log'. This could give reason for your error. I got a 'Error: User does not have access to this service provider' error
For this, the user was not given permission. Even if the user is System Administrator, the access to Connected App is not given by default. To give permission, go to 'Manager Users -> Users' and click edit on the user you are testing.Click profile name link .e.g System Administrator. This takes to profile page. You can scroll below to 'Connected App Access' and you would see that the access is not given. Give the access by clicking edit profile in the top of page.
Related
I have nginx-->SonarQube.
nginx is able to forward requests successfully.
We want to integrate Authentication with Azure AD.
We followed instructions from here:
https://www.emtec.digital/think-hub/blogs/sonarqube-integration-azure-active-directory/
So when I access https://mycompany.com, I get login page which has "Login with Microsoft" and More options(you can login with local user).
When I enter username and password for Microsoft , we see that Azure AD is returning the token, but SonarQube rejects after that. I see that in the sonarqube access log
"GET /api/navigation/global HTTP/1.1" 401 - "https://mycompany.com/sonar/oauth2/callback/aad?co
So it goes back to login page again. Not sure what I am doing wrong.
Please check with below points:
Try upgrading sonarqube to the latest version.
The redirect URL should be configured with a correct URL, e.g. https:// sonarqube.example.com/oauth2/callback/aad. Here /oauth2/callback/aad is a must in addition to the application URL. For example, if your main URL is "https://sonarqube.example.com" in sonar server base url , you would enter "https://sonarqube.example.com/oauth2/callback/aad" as redirect url in aad.
Make sure the user has required role or permissions to access .
Set the required permissions in portal and grant consent if required
i) Sign in and read user profile
ii) Read all users’ basic profiles
Also please check http redirection - Stack Overflow reference .The redirect URL must have a https or loopback address, else the Azure AD login will not work.
Try clearing the cookies and Restart after any changes made
Referencs:
sonar-auth-aad (github)
running-sonarqube-behind-an-iis-reversed-proxy
docs.sonarqube.org
I try to get reports from power bi api. There is app with permissions, enter image description here. My request enter image description here. If i insert "openid" to scopes or any of Microsoft Graph scopes, request return access token. This token dont let me access to reports. If i insert "Report.Read.All" or any of Power BI scopes, i recieve invalid_grant error: 'The user or administrator has not consented to use the application with ID named 'Интеграция с Битрикс24'. Send an interactive authorization request for this user and resource.'. Request from error message was send was sent by me many times. enter image description here. Please tell me what could be the mistake. What setting could I forget?
need to insert full url scope in request body to access power bi token. https://analysis.windows.net/powerbi/api/Report.Read.All instead of Report.Read.All
I could help you with an alternative where you can update the Graph Client to a Newer version. The admin of the subscription can grant the consent through the portal as shown below from Home > App > API Permissions.
We have done the following steps:
Using the following Steps:
Revoke all admin consent.
Remove all permissions
Add removed permissions back.
Grant admin consent.
Here is the Microsoft Document which you can refer to : Construct the URL for granting tenant-wide admin consent
I want to deny login to a user if it tries to login when its username and password is not registered in the userpool. Is there a way I can do that?
You can leverage the use of a pre-authentication Lambda trigger here.
Since you mention there are two pages (manager and employee), I believe the architecture is such that the manager login page and the employee login page uses different app clients. So basically two app clients in a single user pool.
A pre-auth trigger as the name suggests is triggered right before the login. Inside this Lambda function, you need to write code to check if the request is coming from the manager's app client, and if so reject the login. An example is provided here.
When someone goes to link their social media account to their ADB2C registration, we have a problem whereby we are unable to distinguish between a failed ADB2C sign in, and the cancellation of their request to link their social media account.
When someone, for example, tries to link their Facebook account, a URL like this sits behind the 'Not now' link:
https://test.b2clogin.com/test.onmicrosoft.com/oauth2/authresp?error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied&state=StateProperties%3DeyJTSUQiOiJ4LW1zLWNwaW0tcmM6NzMyYWQzZWXtZGI4OS00YjZiLTlmYzgtYTY5NzYxZDdjMDY0IiwiVElEIjoiNTcxZWE5M2UtODQ4NS00MTMzLTlhZmItOTQwMWIyMDAwOGE5IiwiVE9JRCI6Ijc4ZDUxNTY3LTkzYTAtNDEyMy1iMHI1LTVmN2E1NzNjMzRkYSJ9#_=_
We trap the AuthenticationFailedNotification, but within it, we haven't been able to find a way to distinguish between
an access denied message based on the cancellation of the request to link a social media account, and
an actual genuine access denied response.
We check:
if (notification.ProtocolMessage.Error == "access_denied" && notification.ProtocolMessage.ErrorDescription.StartsWith("[A SPECIFIC ERROR ID]", StringComparison.InvariantCultureIgnoreCase))
We would then have a specific user flow configured for each scenario, based on the error description, authentication policy and authentication type (social media or ADB2C).
Our requirement is for the user to remain logged in to ADB2C when they attempt to link a social account, but don't actually go through with it.
Microsoft's own example, https://woodgrovedemo.com/ works in the same way, whereby the user is logged out when they cancel the linking of their social media account (for example, by clicking 'Not now' when going to link their Facebook account).
You can't, because it's the same thing!
When a user cancel the Facebook process with the 'Not now' button, the user ain't logged in. You need the user to accept to be link to your app for Facebook to send an approbation and a claims to be delivered to your app. Without this claims, the user is not logged in.
So you can't have a requirement to keep the user logged in, since he haven't been logged in yet. It's false to think that the Microsoft's example logged out the user, since he was never logged in.
I've set up IdenityServer4 to use AzureAD backend authentication. All's well and it works, but when trying a guest user account, it just seems to hang.
I've set the "signInAudience": "AzureADMyOrg" in the Manifest file for the authenticating app on AzureAD. Also I am using the tenant specific url for the Authority from IDS4. "https://login.microsoftonline.com/abc.onmicrosoft.com".
And I've added the Microsoft Account account as guest user to AzureAD.
PS:
Noticed that it gives and error page with:
This login.live.com page can’t be found
No webpage was found for the web address:
https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51487777-085c-4777-bf88-cf50c7257777&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAZ2Vuc7kABCDE59_ZnZmkGBBK0Q4wUocwv_4Pn6Job2... etc... &username=abc%40gmail.com
Notice the "https%3a%2f%2flogin.microsoftonline.com%2fcommon" in there... even though I've specified a tenant specific authority with IDS4...
Tried manually changing that part to "https%3a%2f%2flogin.microsoftonline.com%2fcontoso.onmicrosoft.com" and still gives same error. "This login.live.com page can’t be found".
The guest user email account is actually a gmail.com. But which has been added as guest user on AzureAD. When I look at the Identity for that guest user account, it is of type Microsoft Account. Do I need to add either gmail or Microsoft (live.com) as an additional authentication provider (in addition to AzureAD) to IDS4 for it to work..? –