question

SergioPeral-7461 avatar image
0 Votes"
SergioPeral-7461 asked amanpreetsingh-msft commented

Configure SSO for Azure AD Application

Hello all,
I hope you're staying healthy and safe.


I'm having an issue trying to configure Azure AD SSO for an application. My Service Provider application is not able to authenticate itself because the roles claim configured in Azure AD SSO is not included in the SAML response. I'm following this guide to configure it: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management, but I'm not having success.

These are my configured claims:
https://gyazo.com/f262f7fa23c23ed2adc6a4ffc9e608c0

And these are the claims that come in the SAML response:
https://gyazo.com/120b6156a0287566c9d34cf7f726ae81

I'm also having trouble configuring permissions here: https://developer.microsoft.com/graph/graph-explorer. It seems like the changes I make are not staying.

When I go to the Application Users and groups, the only user is me, with role User. I don't know if it's possible to make myself an administrator, it doesn't come in the list of possible roles, only User, and it's a personal account so I'm actually the administrator.

Hoping that someone is able to help a little bit. Thank you very much in advance.

Best regards,
Sergio.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@SergioPeral-7461 You need to define the App Roles in Application Manifest. If no role is defined in the app manifest, you get only user role, which is greyed-out. You can add below parameters to the app manifest to add "Writer" role for example. You can specify any role name using below parameters, as per the application requirement.

7777-capture.jpg

Once this is done, you can assign the new roles to users while adding them under "Users and groups" in the application or by editing already added users.

For more details please refer to How to: Add app roles in your application and receive them in the token


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


capture.jpg (27.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SergioPeral-7461 avatar image
0 Votes"
SergioPeral-7461 answered amanpreetsingh-msft commented

Thank you very much, with your help I was able to include the Roles claim in my SAML response:

      <Attribute Name="Roles">
         <AttributeValue>Test</AttributeValue>
      </Attribute>

Unfortunately my main issue persists, even though I thought this was the cause of the problem. My issue is exactly this one: https://github.com/opendistro-for-elasticsearch/security/issues/430 (I didn't create it).

I don't know if you or some of your colleagues are familiar with integrating Elasticsearch + Kibana with Azure AD to implement SSO, but if someone could provide some help with this it would be so great.

Thank you very much for your help so far.
Best regards,
Sergio.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SergioPeral-7461 Unfortunately I have not done this integration. I would suggest you to post it as a separate question as others may ignore it thinking it is another answer to the above question. With a separate question it will have more visibility and if someone has encountered this issue, can respond to you.

0 Votes 0 ·
SergioPeral-7461 avatar image
0 Votes"
SergioPeral-7461 answered

Hi @amanpreetsingh-msft , thanks for answering.

I managed to solve that error, I had the wrong id in the application manifest.
Now I am having this error:

7824-test.png


But I have a role in the application:
7795-test2.png


So I will keep investigating. Please let me know how I could proceed.

Thank you very much.

Regards.



test.png (80.4 KiB)
test2.png (24.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@SergioPeral-7461 Since the user is assigned, you should not get this error. Could you please try removing the user and assigning it again. If that doesn't help, please try creating a new user under Azure Active Directory > Users and test with that account.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SergioPeral-7461 avatar image
0 Votes"
SergioPeral-7461 answered SergioPeral-7461 edited

Hey Aman,
Thanks for your great help, after re-assigning myself to the role it was detected successfully. Unfortunately, my application still doesn't get authenticated successfully...


Let me please ask you one last thing... When I goto the Graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#), I select beta and run this query: https://graph.microsoft.com/beta/servicePrincipals. But the response is kind of empty:

7826-test.png

Shouldn't it respond with the details of the application I created, at least? (it should, according to this article https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management)



test.png (15.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How have you registered the application? If you register application via portal, a corresponding service principal gets created automatically but if you create application via Graph API/powershell, you need to create that separately.

Can you see the application using https://graph.microsoft.com/beta/applications call?

0 Votes 0 ·

I registered the application in the portal:
7817-test.png

I can't see the application running that query:
7951-test2.png

Note that the email address is the same. I have only one directory.
When I try to assign myself some permissions under modify permissions in the Microsoft Graph, it seems like they disappear after I reload the page. I am Administrator of the account.

Thanks for your help!


0 Votes 0 ·
test.png (46.7 KiB)
test2.png (39.3 KiB)
test.png (73.7 KiB)
SergioPeral-7461 avatar image
0 Votes"
SergioPeral-7461 answered amanpreetsingh-msft commented

In addition, is it correct that the role included in the SAML response is referencing the one I have in the Application Manifest and the one in the third screenshot below? Are they all the same role? Maybe the Test role in the SAML response is some "empty" role and I'm referencing different things that have the same name...

Role claim included in the SAML response:

7912-test1.png

Role in the application manifest:

7827-test2.png

Role definition:

7913-test3.png

I'm sorry for asking so many questions but I am really lost. Thank you in advance for your effort.

Best regards.


test1.png (2.8 KiB)
test2.png (12.7 KiB)
test3.png (69.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, the role we defined in app manifest is different than this. These are directory roles that we can use to grant permissions over Azure AD.

This platform is for asking questions. Feel free to post. Only suggestion is to post new question for a different error so that it helps others facing similar error. We don't want others to go through a long thread to get answer to a specific error. Hope you'll understand.

0 Votes 0 ·

It is under the application's Roles and administrators section so it looked like a role for the application to me.

The objective of my questions is the original one, which is configuring Azure AD SSO to authenticate a user in Opendistro, that's why I continued asking in this thread. I think that any user that wants to achieve that goal will make use of all the answers you provided. However, I understand your suggestion, sorry if you think that this thread is too long.

Thank you for your answers.

Regards.

0 Votes 0 ·

Even if you are referring to application's Roles and administrators section, these roles are different than the app role we defined under app manifest. This will eventually create role under directory role only.

0 Votes 0 ·