What is itfoxtec-identity-saml2 Issuer in adfs setup? - adfs

I'm setting up ITfoxtec Identity SAML2 for ADFS. What should be used as Issuer for ADFS setup?
And where to get SingleSignOnDestination?
Many thanks

The application can read the AD FS issuer and SingleSignOnDestination in the AD FS metadata:
https://--adfs domain--/federationmetadata/2007-06/federationmetadata.xml
The AD FS metadata URL is configured in the relying party IdPMetadata, please see the ASP.NET Core sample config line 11:
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json#L11
The sample application loads the AD FS metadata in Startup.cs: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Startup.cs#L40

Related

Enable Azure AD SSO on Web Server which has no internet connection

I implement my ASP.Net Web Application SSO with Azure AD. Everything work fine my testing server which has an internet connection.
My customer policy does not allow internet connection on their server and the SSO failed when validate the token from the Microsoft after user authenticated. The error is "IDX20803: Unable to obtain configuration from: [PII is Hidden]".
I add the Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; to my Startup.cs class, the error more detail: "IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/MYTENANTID/.well-known/openid-configuration'".
My question is: I will request my customer open their firewall to allow only login.mirosoftonline.com. Does it enough? Does it need to allow another requests? And what are another requests?
according to microsoft, https://learn.microsoft.com/en-ca/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online
I believe category 56 is for identity and authentication, whether you need them all, I'm not sure, but Microsoft seems to think so?
56 Allow
Required Yes *.msappproxy.net, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48

Exception using Azure Managed Service Identity across tenants

I'm building an Azure web app for a client that will be provisioned into many other directories for their customers. This app will call a web API in my client's directory, which will then call back to another web API in the customer's directory. Something like this:
Other Customer AAD1 --------- My client AAD2
App --------------------------------> Web API 2
Web API 1 <-------------------------- Web API 2
We have been able to get the first call to work. This requires a corresponding App Registation for Web API 2 in AAD1. We figure that we could get the callback to work by following the same pattern, with a registration for Web API1 in AAD2. However, that might be a LOT of these 'proxy' registration in my client's AAD, so we're looking at alternatives.
We are exploring using Managed Service Identity, which we think will allow us to get tokens that are valid for resources in other tenants. If there's a better way, I'm certainly interested in knowing about it.
I've followed the code example from here using the Microsoft.Azure.Services.AppAuthentication library: https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity#obtaining-tokens-for-azure-resources
// In Web API 2
using Microsoft.Azure.Services.AppAuthentication;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(
"https://<App ID URI for Web API1>");
Web API2 is configured to have a Managed Service Identity.
I'm currently running this on my local machine, and I've installed Azure CLI and I'm logged in. I've tried 'az account get-access-token', and I get a valid token.
When Web API2 tries to get the token to be able to call Web API1, I get an exception:
Parameters: Connectionstring: [No connection string specified], Resource: , Authority: . Exception Message: Tried the following 2 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: , Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: , Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. ERROR: Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Web API 1'. Send an interactive authorization request for this user and resource.\r\nTrace ID: f5bb0d4d-6f92-4fdd-81b7-e82a78720a00\r\nCorrelation ID: 04f92114-8d9d-40c6-b292-965168d6a919\r\nTimestamp: 2017-10-19 16:39:22Z","error_codes":[65001],"timestamp":"2017-10-19 16:39:22Z","trace_id":"f5bb0d4d-6f92-4fdd-81b7-e82a78720a00","correlation_id":"04f92114-8d9d-40c6-b292-965168d6a919"}
What's interesting is that there's no application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' in either AAD1 or AAD2. Is this a known Azure app? I thought that it might be the Service Management API, but I'm not sure.
In any case, I'm not sure of the proper way to grant permission. I've tried building different content URLs like this into my browser, but none of them seem to have done the trick:
https://login.microsoftonline.com/(AAD1 ID)/adminconsent
?client_id=(App ID)
&redirect_uri=https://localhost:44341
&resource=(App ID URI for Web API1)
&prompt=admin_consent
https://login.microsoftonline.com/(AAD1 ID)/adminconsent
?client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46
&redirect_uri=https://localhost:44341
&resource=(App ID URI for Web API1)
&prompt=admin_consent
(This last one tells me that the reply URL is incorrect; since it's not one of my apps, I can't find the reply URL)
Note that the tenant is AAD1.
Am I missing something, or am I not using this feature correctly?
Thanks in advance.
AzureServiceTokenProvider uses Azure CLI (among other options) for local development. For a scenario where a service calls an Azure Service, this works using the developer identity from Azure CLI, since Azure services allow access to both users and applications.
For a scenario where a service calls another custom service (like your scenario), you need to use a service principal for local development. For this, you have two options:
Login to Azure CLI using a service principal.
First, create a service principal for local development
https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest
Then login to Azure CLI using it.
az login --service-principal -u 25922285-eab9-4262-ba61-8083533a929b --password <<pwd>> --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 --allow-no-subscriptions
Use the --allow-no-subscriptions argument since this service principal may not have access to any subscription.
Now, AzureServiceTokenProvider will get a token using this service principal for local development.
Specify service principal details in an environment variable. AzureServiceTokenProvider will use the specified service principal for local development. Please see the section Running the application using a service principal in local development environment in this sample on how to do that. https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet
Note: Ths is only for local development. AzureServiceTokenProvider will use MSI when deployed to App Service.

ASP.NET Core Azure AD OpenID - Token Signature validation fails on production server

I have an ASP.NET Core 1.1 project, with authentication using Azure AD OpenID. Authentication works fine on my dev box (windows 10), both on IIS express and full IIS. However, when I deploy the project to my server (Server 2008R2), after the after logging into the Microsoft redirect site, the server throws this error:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: VWVIc1WD1Tksbb301sasM5kOq5Q
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
at Internal.Cryptography.Helpers.OpenStorageProvider(CngProvider provider)
at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider)
at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, CngKeyBlobFormat format)
at Internal.Cryptography.Pal.X509Pal.DecodePublicKey(Oid oid, Byte[] encodedKeyValue, Byte[] encodedParameters, ICertificatePal certificatePal)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPublicKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PublicKey()
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.IsSupportedAlgorithm(String algorithm, SecurityKey key)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(Byte[] encodedBytes, Byte[] signature, SecurityKey key, String algorithm, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
When I take the token received from Azure, and plug it into JWT.io, it verifies the signature successfully.
To recap:
dev box (iis express and iis) token signature verifies successfully
JWT.io debug site, token and signature verifies successfully
deployed on server (iis 7.5) signature verification fails
Does it have anything to do with the https cert I have on the server? On my dev box I am using a self-signed cert created with powershell. On the server, we have a cert issued from go-daddy.
Thanks for any help.
This exception can also occur when the 'CNG Key isolation' Windows service is not running.
See https://blogs.msdn.microsoft.com/dsnotes/2012/08/17/cngkey-import-throws-an-exception-saying-an-internal-error-occurred-when-importing-a-key-blob-under-a-non-admin-user-from-a-wcf-web-service/
The issue was the identity running the application pool. Not high enough rights.

Error with openstack server list command

I installed Openstack on my CentOs VM and when i try to see the list of launched instances, i get this error
$ openstack server list
Ignoring domain related config user_domain_name because identity API version is 2.0
Ignoring domain related config user_domain_name because identity API version is 2.0
Ignoring domain related config user_domain_name because identity API version is 2.0
Ignoring domain related config user_domain_name because identity API version is 2.0
Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-453d115d-afc8-4ea0-9c2a-4f55fd7591ba)
Can someone tell me how to change the user_domain_name?
I figured out what was missing in my current openstack credentials. I am posting these if someone has the same problem as mine.
OS_PROJECT_DOMAIN_NAME="your domain name"
OS_IDENTITY_API_VERSION=3

Azure Resource manager .Net API fails to get Resource group

I am trying to write a standalone program to access Azure Resource group details using Azure resource manager .Net library. As the per the documentation it requires Azure AD authentication and token in every resource manager request. So i created a web app in AD and configured secret key and using it to generate token.
But below code is failing even though I pass this token as bearer in request.
m_resourceClient = new ResourceManagementClient(connection.GetCredentials());
m_resourceClient.HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", connection.GetAccessToken());
***ResourceGroupGetResult resourceGroupList = m_resourceClient.ResourceGroups.Get("PraveenTest")*** ;
Error message:
AuthorizationFailed: The client '5919f7f9-####-####-####-074456eba98c' with object id '5919f7f9-####-####-####-074456eba98c' does not have authorization to perform action
'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/1f94c869-####-####-####-055e8ae15be3/resourcegroups/TestGroup'.
Your bearer token is valid, but you also need to grant your application access to the resource group.
You can do this with the following PowerShell command:
New-AzureRmRoleAssignment
-ObjectId '5919f7f9-####-####-####-074456eba98c' `
-ResourceGroupName TestGroup `
-RoleDefinitionName Reader
If you're using an Azure PowerShell version < 1.0, then the cmdlet is New-AzureRoleAssignment.
I'd recommend Dushyant Gill's blog post on authenticating ARM requests.

Resources