Error AADSTS50059: No tenant identifying information found in either the request or implied by any provided credentials.
We have two subdomains(sd1.domain.com and sd2.domain.com) registered to two different AAD apps(client id: sd1 and client id: sd2) under the same tenant. We have configured SSO for the angular apps hosted on both the subdomains.
Scenario: When I login to both the subdomains and then logout from one of the subdomain(lets say sd1) and try to refresh the page in the other subdomain(sd2),the authentication is failing with the above specified error.
Further Understanding
Q1 As we have both the AAD's under the same tenant. Is somehow the cookie generated by one AAD affecting the other AAD. If so what is being overwritten / invalidated / deleted.
I have read that that during SSO's first login an authentication cookie is given out by the authentication server and on top of that every site the SSO works on the authentication is done with the help of this cookie and a corresponding site cookie is also generated.Reference
Q2 What and where is the authentication cookie during the SSO mechanism with Azure AD? I can look at two cookies one stored in local storage()
and another
r
Q3
I get it that SSO is used to login to various apps at the same time and a single logout would log us out of all apps but consider I have office and devops at two different subdomains. It does not mean that if I logout of office that I get logged out of devops as well right..
How can we achieve this using the configuration of two AAD's under the same tenant?
Q1 As we have both the AAD's under the same tenant. Is somehow the cookie generated by one AAD affecting the other AAD. If so what is being overwritten / invalidated / deleted.
When you sign out from the first app, the SSO cookie is removed from AAD.
This means the Azure AD session is no longer active.
Q2 What and where is the authentication cookie during the SSO mechanism with Azure AD? I can look at two cookies one stored in local storage()
You need to look at cookies when you are in the Azure AD domain.
That's your app's local storage and cookies, not Azure AD's.
Q3 I get it that SSO is used to login to various apps at the same time and a single logout would log us out of all apps but consider I have office and devops at two different subdomains. It does not mean that if I logout of office that I get logged out of devops as well right..
Yeah well, that's how single sign-on works.
If you tell Azure AD to sign you out, it'll kill your session, which will affect all apps that depend on that session being active.
How can we achieve this using the configuration of two AAD's under the same tenant?
Firstly, you have two apps in your Azure AD tenant, not "two AADs".
To keep your session active in an application even if the AAD session is removed,
your app needs to keep its own session and not depend on AAD after authentication.
So after authentication, your application back-end could issue a cookie or token and your front-end should then use that with calls to the back-end.
If you need to get Azure AD access tokens as the user, you can use refresh tokens to get them from a back-end.
But for front-end apps, there is really no way to get access tokens on behalf of a user without an active AAD session.
And you can't get tokens "as the app" from a front-end app, since there is no way to authenticate the app.
So it depends.
In your scenario, you may be able to keep a session within your app if you want to disconnect it from Azure AD.
But usually SSO is expected to work the way it did.
The point is that it is easy to log out from all your services.
Related
I hope you are doing well!
We are working on a project that consists of 3 projects/websites. It's basically something like a Management Platform for the resources, a Platform to display information and updates, and a Platform to manage both those platforms. (Something like Office365 and PowerPoint, Word, Excel where Office365 is the main application between them).
In our project, we want to integrate a navigation drawer in which the user can navigate to the different application from our 3 websites without having to re-login. In this case it would be easy. However, would there be a way that if the user access the other website from the browser (ex:"www.exameplwebsite.website2.com") we login the user directly if he was already logged in to a previous application from ours?
We thought about local storage however the local storage and cookies accessible depend on the domain we are accessing.
Is there a way to make this happen? Or would using a navigation drawer the only way possible?
(For context we will be using ReactJS)
I think it wouldn't be that hard with JSON Web Token (JWT) for authentication. When you redirect the user from one site to the other do it with a post request and include a JWT token in it. The new site can capture that token and send the token to the browser and the browser can catch it and saves it into its own localstorage.
I can think of two solutions ->
Use micro frontends (Recommended)
If all three apps have different domain names (app1.com, app2.com, app3.com) then you're right you cannot share any token using cookies and local storage.
Here, You can take the login/signup pages and the navigation drawer into one parent app and load all your other apps using micro frontends.
Use SSO
SAML and OIDC are made for this specific purpose but this is a very complex topic. Basically, your users will need to log in once(at someplace like google or OneLogin or your own identity server)
I have an Angular app that supports Azure AD authentication via a spring security backend. It supports anonymous (non-tenant) access but no other authentication methods.
On load, if there is no existing session, the app attempts to automatically sign in via Azure AD by performing a full page redirect to the backend's Azure endpoint (which redirects to Microsoft) which redirects back to the app when successful.
This all works fine and flows well for users that have existing accounts. However for non-tenant users who are unfamilar with the app, it might be a bit confusing to get redirected to a sign in page when they don't have an account and its not very intuitive on how to proceed.
My question is if it's possible to 'wrap' the Azure AD sign-in page with some branding / messaging (e.g. similar to an embedded iframe), or to add an extra step at the beginning of the process. Alternativly, is there a way to detect if the user is a non-tenant user in advance of performing a redirect? This way I can explain what the scary sign in screen means (or avoid it completely).
I have already tried to use an iframe for the Azure endpoint (seems to be blocked due to Microsoft security policy), and to use a popup window (blocked on the client since it's not invoked via user action).
I should mention that I am not using Microsoft's Azure AD JS library currently but no issue in adding it.
Appreciate any help!
My question is if it's possible to 'wrap' the Azure AD sign-in page
with some branding / messaging (e.g. similar to an embedded iframe),
or to add an extra step at the beginning of the process.
Yes it is possible to Customize the azure sign-in page with some branding/messaging by adding your organization logo and custom colour schemes on your azure AD sign-in page. This sign-in pages will appear when users sign in to your organization registered applications in which AzureAD is defined as the IDP. Custom branding for the Azure AD which you'll do for the sign-in page will take 15 minutes or more to appear after user sign-in.
Kindly Note that the sign-in page branding is does not apply to the personal Microsoft Account or personal accounts sign-in also.
To configure the branding for your Azure AD sign-in page kindly refer to the this MICROSOFT DOCUMENTATION for implementation.
Also for guidelines adding branding on Azure AD apps kindly refer to this MICROSOFT DOCUMENTATION .
Alternatively, is there a way to detect if the user is a non-tenant
user in advance of performing a redirect?
Yes, there is a way to know if a user is non-tenant or not by configuring the home realm discovery mechanism home realm discovery is an authentication behaviour for federated users that use HRD policy . It uses auto -acceleration to skip the user name entry screen an automatically forward the users to Azure AD application endpoints. Thus to configure HRD policy for your Azure AD tenant kindly refer to this MICROSOFT DOCUMENTATION for implementation. Also to Prompt the user to login to your tenant using your tenant specific user name, you can add login_hint parameter in the authorization code of authentication request.
For details about the login_hint parameter in the authentication request kindly refer to this MICROSOFT DOCUMENTATION
For more information please refer this SO THREAD.
I am developing a web site for an organization that used AD for validating its own employees. I am required to host the web site externally. The organization requires a Single Sign On for its employees. Can this be done? I am using Nodejs and javascript.
Yes! (kind of)
Do you know if the org is using Azure AD or an on-prem AD?
If its Azure AD then you should be good to go, MS has some docs on how to do this and boilerplate code for it so I would suggest taking a look at those
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
The basic flow would be
Setup an adapp in Azure (this would be on the Org to setup for you)
Provide them with a 'return URL' (this will post back to you app with a JWT Token)
Once setup, they will provide you wish a client key / secret
Use those to pass to the AD auth service, this should prompt users to authenticate with Azure AD
After Auth, it passes back to your 'return URL' with the token
In your app, if the token is valid then they are authenticated and get access, if not, no access
Context:
I am currently working on an embeddable widget, something akin to Intercom or
Hotjar, and have the need to authenticate users. Thus far, I got away with
using Passwordless authentication using Firebase auth but users complain that
it's a high friction process, and they'd rather not do it at all. The ideal
authentication solution would be to let users use their Google or Facebook
account and authenticate via OAuth2.
Problem:
Firebase Auth restricts authenticating via 3rd party auth providers if the
domain the user authenticates via is not whitelisted in the authorized domains
list. So if the user puts the code in abc.com, and tries to auth via Google
firebase rejects it because abc.com is not in the whitelist. Whitelisting the
domain of every client is unorthodox. I feel like the way I'm approaching it
is wrong because I can't correctly build up a mental model of how this would
work out. Technically cookies, sessions, etc. are pointless.
Question:
How would I go about providing the ability to let users authenticate via 3rd
party auth providers? Is this even technically possible?
Potential Solutions:
Host the widget at the main app in a dynamic route (the website where the user
would get the widget's code) and render this route as an iframe in the
client's website. (ex: /widgets/{widgetID} would have the widget). I don't
want to do this really because iframes are a serious pain but this sounds like
the most feasible.
I'd like to know more/better solutions to address this particular situation.
It doesn't matter even if it's from a different cloud provider or a different
authentication service. The goal is to authenticate the user from the widget
ideally via a 3rd party auth provider like Google.
EDIT: This is the error that I currently receive:
widget.js:2 auth/unauthorized-domain This domain (xyz.com) is not authorized to run this operation. Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
Based on your use case, you need to verify the domain ownership xyz.com by following this guide
After that you need to add xyz.comto Authorized domains your, as the error message mentioned.
Add it to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
For more information please check this guide
Is not possible enable Google Sign In by using a domain unverified or unauthorized, this is to protect the access to your sites/projects by restricting the usage of the Firebase/Google credentials only for configured domains.
There is no way to disable this setting, Google sign in uses Oauth2 as authentication framework
I'm working on a Python project on AppEngine and I just set up authentication via the app.yaml file (through specifying the option login:admin). The goal of this was to restrict a particular function of the app to only the specified app administrators. However, the persistent SACSID cookie that AppEngine sets upon authentication does not expire when the application admin logs out of his Google account.
Complicating things further, whenever I try to look at document.cookie, it comes up as "", witohut the SACSID cookie's information. How can I delete this cookie/how can I even access it?