SAMLRequest error from Azure AD SSO when logging in

[johnwbaxter]

Hi, I'm getting the same error as detailed here. Not sure what info I haven't updated right. - https://help.mulesoft.com/s/article/AADSTS750054-Error-When-Logging-to-Azure-AD-SSO-Enabled-Domain-in-Studio

I got back from the provider a xml file and "Azure AD Identifier" url. I uploaded the metadata xml but nowhere for me to set the AD identifier URL manually.

It looks like the EntityID is set to: urn:federation:MicrosoftOnline which is incorrect, right? I don't see how I can change this?

Any ideas?

Thanks!!

[johnwbaxter]

Can I bump this please!

[dsmrt]

Take a look at this issue:

https://github.com/flipboxfactory/saml-sp/issues/37#issuecomment-537633890

Make sure you are following that comment closely.

With that error, it seems like you might not be going thru the SAML request process on the plugin side. Seems like you may be configuring the loginPath (for craft) to the IdP directly. If this is the case, you need to change that to follow the docs here: https://saml-sp.flipboxfactory.com/configure/login.html

I’m not sure what the entity id is for your case but that could be right. You first issue is to get a proper request going. The error you linked to shows the request isn’t coming over at all.

Also, you can open the network console and follow redirects to verify that SAMLRequest GET or POST parameter is being passed on. This has to be sent and is initiated by the plugin by that request url detailed in the docs.

Hope this helps.

[johnwbaxter]

Hi Damien

I did follow that ticket already, but it looks like i didn't add the login url to the general.config, which I've done now and am hoping is the missing piece!

Thanks

John

[dsmrt]

Awesome! Let me know if you run into anything else!

[johnwbaxter]

Hi Damien,

Hmm, no, that didn't help.

I'm a bit confused by the other ticket you are asking me to look at "You can overwrite that system-wide by setting it here: /admin/saml-sp/settings (it can be an environmental variable). Once you set that, you need to recreate "My Provider" so the new entity id is picked up and saved in the plugin correctly." - If you go there, it says if you change the entity Id, then everything needs to be regenerated again, so surely you are then in an eternal loop?

Thanks

John

[dsmrt]

Are you getting the same error?

[johnwbaxter]

Yes, same error as before!

[dsmrt]

Not sure what you mean about the eternal loop. For azure ad, the Azure AD app id needs to be your sp’s (crafts) entity id. This isn’t a common practice so you need to use that system setting to reset the EntityID for craft.

[johnwbaxter]

This: "Application ID is important here. You need to make the Application ID your Entity ID now. Currently, the best way to overwrite this is to set it system wide here: /admin/saml-sp/settings. Note that you can set that as an environmental variable. Once that is set make sure to either resave or delete and save a new "My Provider"."

I haven't done due to the warning on the field itself. Should I go ahead and do this anyway? The format of the field will be a URL, not just the ID, right?

[dsmrt]

Since you are getting the same error, it seems like the process to login you are doing is incorrect. Are you initiating login from craft? Meaning you are on craft, and you hit a link that takes you to the craft endpoint /sso/login/request/?

When you hit that endpoint, the plugin will create the request and send it to Azure AD/your IdP.

[johnwbaxter]

I'm clicking the new button on the craft CP login screen which has this URL.

https://portal.xxxxx.uk/sso/login/request/xxxxxxxx-xxxx-xxxxx-xxxx-xxxxxxxxxx?RelayState=https:/portal.xxxxx.uk/admin/dashboard

[dsmrt]

Responding to your last comment on changing the system entity id, this is something you want to be careful with. If you do this during development it’s not a problem. This is more of a concern when you are working on a production site directly which may deny users from logging in.

As for format, the id is an identifier for a website essentially, so it’s commonly a URL but can be uuid or other string formats.

[johnwbaxter]

This is difficult as it's a public viewable forum, any chance I can email you directly so I can share a couple of things?

[dsmrt]

Definitely, contact me here and we can share info: https://www.flipboxdigital.com/contact

[johnwbaxter]

Legend, ta!

[johnwbaxter]

I've sent you the email!!

[dsmrt]

@johnwbaxter, I'm going to close this for now, since we are communicating offline. If we do find any issues, bugs, etc, we can add them as separate issues.