Comments (11)
Thanks for the answer. I've managed to make it work. Yes, you are right. It needs to have UsePolicyInRedirectUri set to false. I didn't change my reply urls so I think that the mentioned error is shown where the reply url has nothing in common with the error and does not cause it.
from active-directory-b2c-advanced-policies.
@rojasja for awareness
We do not support multi-tenant apps or the /common endpoint. I would recommend requesting the feature here to help us prioritize it.
from active-directory-b2c-advanced-policies.
According to this: active-directory-b2c-advanced-policies/Walkthroughs/IdP-AzureAD.md
it is supported. However when I set it up, i get an error: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
although the reply URLs have been configured and set to:
https://login.microsoftonline.com/(B2Ctenant).onmicrosoft.com and https://login.microsoftonline.com/te/(B2Ctenant).onmicrosoft.com/oauth2/authresp
I also want to emphasize that this was working last Friday (15th of September 2017). I didn't change custom policy configuration at all and it didn't work anymore on Monday.
May I have an official confirmation that MultiTenant B2C custom policy still can't be configured or any hint about this error?
from active-directory-b2c-advanced-policies.
@tomidix we have been using multi-tenant auth for a while now and it does work. Perhaps share the configuration of your technical profile
from active-directory-b2c-advanced-policies.
@monteledwards here is the whole ClaimsProvider, App to which TechnicalProfile is referenced is created on portal.azure.com -> AD B2C -> Applications (not on identity.microsoft.com nor apps.dev.microsoft.com; I tried applications from there too but they didn't work either).
The process of login starts normally, user logins ok, on a first run user consent is invoked, and after that there is an error which I mentioned in previous post.
<ClaimsProvider>
<Domain>MultiTenant</Domain>
<DisplayName>Login using Azure AD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MultiTenantProfile">
<DisplayName>AzureADAccount</DisplayName>
<Description>Organizational or Microsoft Account</Description>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
<Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id">{AppID}</Item>
<!-- AppID from B2C tenant's WebApp Application -->
<Item Key="IdTokenAudience">{AppID}</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid profile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_MultiTenantSignInKey"/>
<!-- AppSecret from B2C tenant's WebApp Application, saved to policy keys in Azure -->
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
from active-directory-b2c-advanced-policies.
The application that is to be configured in your technical profile needs to be registered as a regular AAD application. I recommend you start over using the guide here
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
Verify that you can sign in to your own tenant, and then switch the configuration over to multi-tenant by enabling the app to be multi-tenant, and then update your TP configuration
from active-directory-b2c-advanced-policies.
I did that before and got an error: AADSTS70001: Application 'AppId' is not supported for this API version.
I didn't try at all to use MultiTenant v1 for TP config because we have to use MSAL, so only v2 plays a role for us. Do you use MultiTenant v1 or v2?
Now I tried to create new, converged (v2) app in the regular Azure AD of my regular tenant (not b2c tenant) but it finished with the same error as before: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
Verify that you can sign in to your own tenant...
I can do that, this works and I have no problem with this step. Only the multi-tenant doesn't work.
Thanks for your help!
from active-directory-b2c-advanced-policies.
This error:
AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
Is a bug on the AAD side that hides the real error which is that your reply URLs don't match.
I would double check that the reply URL on the AAD side (the v1 multi-tenant app, not the B2C app).
Also, double check that you are setting:
<Item Key="UsePolicyInRedirectUri">false</Item>
from active-directory-b2c-advanced-policies.
I am using custom policy which is integrated with B2B and B2C as per link https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom. I am able to get the username and email from B2B users after adding
in relying party but not able to get the all the user details for B2C users.
from active-directory-b2c-advanced-policies.
from active-directory-b2c-advanced-policies.
@parakhj is the multi-tenant scenario still not available in B2C?
from active-directory-b2c-advanced-policies.
Related Issues (20)
- Invalid client assertion
- user journey that does not create duplicate accounts HOT 5
- Account Linking example needs to be updated to use alternativeSecurityId HOT 16
- Custom policies getting mixed together HOT 2
- B2C SAML response with incorrect entityID HOT 2
- Validation errors do not communicate reason for failed validation HOT 1
- Clarification on claim transformation method HOT 1
- Is there any method to get MAC address of the user's system using custom policies? HOT 1
- Can I use two email addresses for MFA using custom policies? HOT 4
- Account-linking allows unlinking facebook which causes account-lockout.
- saml custom policy logout url
- How to create users with same email but with different in custom user attribute in Azure AD B2C? HOT 5
- How to check whether a user is exist in firebase before sending reset email? HOT 1
- Angular8/Vue custom component not loading in google sites in chrome browser
- Can we link both email and username for the local identities HOT 2
- Updated Source Code for WingTipGamesWebApplication HOT 1
- Azure AD B2C Password reset is not working HOT 1
- Connect existing user with external idp
- Append input Claim value to createstringclaim transformation InputParameter value
- Azure AD B2C witn LinkedIn UserFlow does not work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-advanced-policies.