• State Verified Answer
  • Replies 23 replies
  • Subscribers 95 subscribers
  • Views 5239 views
  • Users 0 members are here
Options
Related

OpenID authentication via Azure fails

panagiotis georgakopoulos
over 2 years ago

Hi,

We are using 9.0 version and are trying to enable openID authentication for the web portal (ITShop) via Azure.

So, the goal is when somebody tries to access the web portal, to get a log-in prompt and provide his/her Azure AD user account credentials in order to successfully log in.

We are aware that this may go wrong in many levels but we have provided the basic configuration as described inside the OneIM authentication guide, meaning:

Login endpoint:

login.microsoftonline.com/.../authorize

Logout endpoint:

login.microsoftonline.com/.../logout

Token endpoint:

login.microsoftonline.com/.../token

JSON:

login.microsoftonline.com/.../keys

Issuer:

login.microsoftonline.com/.../v2.0

Shared secret:

<Value Omitted>

ClientID:

<Value Omitted>

Redirect URI:

https://<ServerName_omitted>/UserIDPortal

Claim - search value: = ADSAccount - Mail (Why not AADUSer? because we dont have a connector yet between OneIM and AAD but shouldn't be a problem as the guide does not say otherwise).
Scope: openid profile email offline_access
Authentication method: client_secret_basic


We are not using any certificate endpoint/subject etc and have not configured any other tabs than "General" and "Applications".

On the Azure side, we have enabled the appropriate scopes as mentioned above plus the email as a claim.

Lastly, we have enabled the OpenID (role-based) authentication module and updated the web.config file with the appropriate values.

Now, when somebody tries to log in to the web portal (having an identity inside OneIM with a valid AD user account with the Mail value matching the Azure AD user account mail)

,he gets a prompt to provide credentials, plus 2fa code and then it seems that the log in is about to succeed but in the end it fails with an abstract message saying:
"We couldn't sign you in. Please try again"

No matter how many times we do it again, it keeps failing with the same message.

Going to the Azure logs side, we are not able to find a specific "sign-in" error code to help us but rather the information message is again abstract, mentioning:
this is an interrupt that triggers device authentication when required due to a conditional access policy or because the application or resource requested the device id in a token yada yada.


Google searching the above, there is limited-to-none valuable information and nowhere something that helps you out solve it either on browser, protocol, web service or application level.
We have not configured any "conditional access policies" to begin with and we also cannot "decrypt" what the line "because the application or resource requested the device id in a token" technically means in order to do any configurations/adjustments.


Some things I found by random after googling is to check if the TimeZone of the web server matches the user's laptop one, which is okay.

Another thing was to check with different browsers, Edge, Chrome and Opera, clear cache/history before any new attempt after minor configuration changes to see if anything is amiss but to no avail so far.

I have also enabled the configuration parameter "QBM\DebugMode\OAuth2\LogPersonalInfoOnException" in order to check if I see any valuable logs in OneIM side but I cannot find any logs after the log-in attempt.
So, either I am searching inside the wrong folder which is "C:\inetpub\wwwroot\UserIDPortal\App_Data\Logs" or I need to do something more/different?


The thing is this should be fixed as soon as possible because it is on a production instance and we are unfortunately out of ideas at this point.

Any more ideas other than the ones provided above?

Thanks in advance.

Parents Reply Children
  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    Tried that as well, no progress.
    I've also enabled the DEBUG mode and now I see this line:
    Forcing session end on g2y3unzo0fkmf3pdtr45gwiv due to an invalid anti-session-fixation cookie value, redirecting to /UserIDPortal/page.axd?wproj=0 

    Could that be related to the root cause or otherwise?
    To be honest, this information is with label INFO but possibly I did not see it before..

  • +1 over 2 years ago in reply to panagiotis georgakopoulos

    Please try to set the httpCookies section in the web.config of the Web Portal to something like this. If this is not helping, try to set it on the Application Server web.config as well.

    <httpCookies requireSSL="true" sameSite="Lax" />



  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    Hi Markus, I have updated the webconfig with this line
    <httpCookies requireSSL="true" sameSite="Lax" />
    and it actually moved forward but the login itself did not work.

    Now instead of seeing the IDP portal, we see the ITShop login page with an error mentioning:
    The authentication process could not be completed. Contact you system admin if issue persists.

    An error occurred while processing your request. Check the application log files or contact the administrator yada yada.

    Inside the log file I see this error:
    Certificate: Using JWK endpoint configured in the identity provider.
    2023-04-19 09:46:46.2350 ERROR ( ObjectLog haei4mqhhuuw1fc4xhlwhi1v) : Failed to authenticate user using OAuth2/Open ID Connect. System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).

    404 means that the resource is not found inside the web server but the configuration is as below:

    In designer the redirect URL is:
    https://<servername>/UserIDPortal

    In Azure, the redirect URL is:

    https://<servername>/UserIDPortal/page.axd

    Otherwise, it says that it cannot found the requested resource ending in page.axd

    We've also tried with redirect URL in designer having this value:
    https://<servername>/UserIDPortal/page.axd but it ends up asking for resource https://<servername>/UserIDPortal/page.axd/page.axd

    Any more ideas?

  • 0 over 2 years ago in reply to panagiotis georgakopoulos

    Try this one.

    In Azure the redirect URI should be https://<servername>/UserIDPortal/page.axd

    In the Designer the redirect URI should be https://<servername>/UserIDPortal/

    Please check the web.config of the Web Portal as well. It should contain the BaseURL when I am remebering it correctly.

  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    What we have tried so far:

    Designer redirect URL:

    https://<serverName>/UserIDPortal/ (previous attempt without the ending slash /)

    Azure redirect URL:

    https://<servername>/UserIDPortal/page.axd

    BaseURL in webconfig file:

    https://<servername>/UserIDPortal/ (the server name here is in capital letters, but shouldn't make any difference, I suppose(?))

    URL in navigation bar when we see the login page of the ITShop having an error:

    https://<serverName>/UserIDPortal/page.axd?RuntimeFormID=e164085d-b854-47d3-a69c-22a5bf9dbe37&aeweb_handler=p&aeweb_rp=&wproj=0&ContextID=VI_Session

    Error in log file of web application:

    Failed to authenticate user. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).

    Error in Azure sign-in:
    User needs to perform multi-factor authentication one identity.

    But the thing is, user is already providing a 2FA code before submitting the request, he done it in front of me every single time.

    In IIS, inside authentication we have both enabled Anonymous and Windows (again, I guess that does not have any impact but for the sake of it), the rest are disabled.

    In OneIM level, user trying to log in has an active identity inside the DB with 6 AERoles assigned to him.

    Plus one enabled AD user account fully managed linked to the identity, of course.

    Last thing, on application server level, QBMWebApplication, I have NOT enabled the OAuth 2.0/OpenID Connect application condfiguration.

    I've done this only on the webDesigner entry which is the web portal itself. I've found somewhere that you have to do this only on web app level and not on the app one, but just to be sure if it matters or not.

  • 0 over 2 years ago in reply to panagiotis georgakopoulos

    My settings which work but I am not using 2fa, I will set that on my Azure tenant and test.

    In Azure:

    Redirect URI: servername.domain.com/.../page.axd

    The two check boxes under Implicit grant and hybrid flows are unchecked

    In Designer under Base Data\Security settings\OAuth 2.0/OpenID Connect configuration\Identity providers:

    Under the Applications tab

    Redirect URI: https://servername.domain.com/identitymanager/

    Authentication method: client_secret_basic

    Under Base Data\Security settings\Web server configurations\WebDesigner

    Primary auth OAuth 2.0/OpenID Connect (role-based)

    OAuth 2.0/OpenID Connect application: my application that I configured from Base Data\Security settings\OAuth 2.0/OpenID Connect configuration\Identity providers Applications tab

    The above settings work for me.

  • 0 over 2 years ago in reply to Troy Grandy

    I setup 2FA for one test user by using the Microsoft Authenticator application. Confirmed that I can log in to my Identity Manager web designer portal with this enabled as well.

  • 0 over 2 years ago in reply to Troy Grandy

    Hi Troy,

    These is exactly my configuration as well.

    I am afraid the issue is on IDP level and not on OneIM level.
    Do you have any other specifics for the IDP configuration, like mandatory configuration needed otherwise it does not work?

  • 0 over 2 years ago in reply to panagiotis georgakopoulos

    No I do not have any mandatory configuration set in the IDP or anywhere else.