I'm trying to configure the Microsoft Portal add-on for Dynamics 365 to work with an external identity provider that supports SAML2.
I've followed all the steps as described in the documentation: https://learn.microsoft.com/en-us/dynamics365/customer-engagement/portals/configure-saml2-settings
The portal is correctly redirecting me to the identity provider login screen, I enter my credentials and then I am redirected to the URL specified in the AssertionConsumerServiceUrl site setting, which should be: https://mycustomportal.microsoftcrmportals.com/signin-saml2
At this point, we get a 404 and we do not get logged in.
I tried setting up the SAML2 Azure AD settings which take us to a different endpoint (https://mycustomportal.microsoftcrmportals.com/signin-azure-ad) and it works as expected.
Has anyone had any luck in getting the generic SAML2 sign in working?
Related
I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !
• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.
I am working in a project where we are authenticating any REST API requests from UI or anywhere else using ADFS STS tokens. There are some direct calls from UI with ADFS STS token in header for authentication/authorization and there are some external 3rd party calls not from UI, but also using ADFS STS tokens in header. Now we are planning to migrate partially to Azure AD token, post which there may still be some applications that will keep using ADFS STS tokens, so there can be situation where an external application that is unaware of migration to Azure may still call an internal application using ADFS STS Token and we are supposed to be compatible with it. Similarly there can be a situation that an internal application that is migrated to Azure AD token is internally calling one of the legacy applications which is still not migrated to Azure AD and won't in future too.
I have two challenges now:
How to support the above design so that even if an Azure token is used the API is still able to call an external service (working on ADFS) by creating an ADFS token from within the code and setting it in headers ?
Header in a HTTP request seems to be an unmodifiable data and when i tried to modify it within a requesttemplate in an request interceptor code, it failed saying unmodifiable map.
How do I handle this ? Please someone help.
Unfortunately I cannot share code due to internal restrictions.
Please check if below references provide some idea in your case.
According to Mix ADFS and Azure AD for authentication - Microsoft Q&A.
If you have O365 federated with ADFS and you federate an application
with Azure AD, the authentication flow would be:
User accesses the application which is federated to Azure AD.
Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
User will be prompted for credentials.
Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
Azure AD will receive the token and issue a SAML token to the application.
User will finally get access to application.
References:
Configure AD FS 2016 and Azure MFA | Microsoft Docs
Azure AD Connect - Manage AD FS trust with Azure AD using Azure AD
Connect | Microsoft Docs
federating ADFS with Azure Active Directory (techdirectarchive.com) & reference- Solution Zone
I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?
Short description:
Im using laravel application which already has system for logging in with microsoft account. That system works, but this is the first time im working on it, and i can not establish locally that users can sign in with their microsoft account into the application. Because system in the application works, and i get error when logging in, the issue must be in my configuration at Azure portal.
My configuration is as following:
I have created tenant and registered app in it. My SAML config is as following:
Entity ID: https://login.microsoftonline.com/tenant-id/saml2
Reply URL (Assertion Consumer Service URL): https://sts.windows.net/tenant-id/
In my .env i have set following values:
AZURE_AD_CALLBACK_URL=/login/microsoft/callback
AZURE_AD_CLIENT_ID=id-of-the-application-in-tenant
AZURE_AD_CLIENT_SECRET=tenant-secret-key
SAML2_AZURE_SAML_ENABLED=true
SAML2_AZURE_IDP_SSO_URL="https://login.microsoftonline.com/tenant-id/saml2"
SAML2_AZURE_IDP_ENTITYID="https://sts.windows.net/tenant-id/"
SAML2_AZURE_IDP_x509="tenant-id"
SAML2_AZURE_SP_ENTITYID="https://some-app.com/"
I get following error after entering my credentials:
AADSTS700016: Application with identifier 'https://someapp/' was not found in the directory 'tenant-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I have added user to the application, which i use to test login, so this error is totally confusing for me.
I dont know if i provided all neccessary info, but if some missing i will provide them.
I hope someone knows what is wrong with the configuration
The tenant id is a GUID. Have you used this or are you using the "tenant-id" string?
Also, the ACS is an endpoint in your application - not an Azure URL.
I want to authenticate my mvc application by microsoft. I successfully done with Facbook, Google and Twitter, but when i click on Microsoft then the error `We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later`
is coming.
I successfully created an app and paste the Client ID and Client Secret in my mvc application . But I do not know the real problem
What is the return URL that you specified for the given Client ID and Client Secret? If the site is not running under that specific URL (e.g. is running under localhost whilst you are in dev mode), you can get this error message.
In my case I had my gmail account configured as my primary Microsoft Live account once I changed this to my Hotmail account as the primary account and then created a new app with a new name Client ID and Secret it started working for me.
The gmail account worked signing in as a gmail user on my app Identity Provider being Google to give some background this is the account I used as my Microsoft Account. I suspect my Microsoft account using my gmail user name and password confused the MS identity Provider thus resulting in the error. So avoid using a different Identity Providers credentials to authenticate with a different Identity provider if testing this. One account per Identity provider not associated to other Identity providers.
Since the Google account had been my primary for the other Identity Providers when I logged into the App as this I as essentially I suspect therefore already logged in with my Microsoft account.
Step 1:-
Open Application Registration Portal of Microsoft [https://apps.dev.microsoft.com] where you have Registered your Application.
You need to make change in Redirect URIs
For example :-
The URI which is Registered
URL:- http://localhost:8000
Change to make in URI :-
Just Add :- [/signin-microsoft] at end of URL It works
URL:- http://localhost:8000/signin-microsoft
Finally save your setting and try again it will work.
In my case, it failed when I used my personal Outlook account to login.
Once I switched to an Office 365 account, it started working.