Hi,
We are using 9.0 version and are trying to enable openID authentication for the web portal (ITShop) via Azure.
So, the goal is when somebody tries to access the web portal, to get a log-in prompt and provide his/her Azure AD user account credentials in order to successfully log in.
We are aware that this may go wrong in many levels but we have provided the basic configuration as described inside the OneIM authentication guide, meaning:
Login endpoint:
login.microsoftonline.com/.../authorize
Logout endpoint:
login.microsoftonline.com/.../logout
Token endpoint:
login.microsoftonline.com/.../token
JSON:
login.microsoftonline.com/.../keys
Issuer:
login.microsoftonline.com/.../v2.0
Shared secret:
<Value Omitted>
ClientID:
<Value Omitted>
Redirect URI:
https://<ServerName_omitted>/UserIDPortal
Claim - search value: = ADSAccount - Mail (Why not AADUSer? because we dont have a connector yet between OneIM and AAD but shouldn't be a problem as the guide does not say otherwise).
Scope: openid profile email offline_access
Authentication method: client_secret_basic
We are not using any certificate endpoint/subject etc and have not configured any other tabs than "General" and "Applications".
On the Azure side, we have enabled the appropriate scopes as mentioned above plus the email as a claim.
Lastly, we have enabled the OpenID (role-based) authentication module and updated the web.config file with the appropriate values.
Now, when somebody tries to log in to the web portal (having an identity inside OneIM with a valid AD user account with the Mail value matching the Azure AD user account mail)
,he gets a prompt to provide credentials, plus 2fa code and then it seems that the log in is about to succeed but in the end it fails with an abstract message saying:
"We couldn't sign you in. Please try again"
No matter how many times we do it again, it keeps failing with the same message.
Going to the Azure logs side, we are not able to find a specific "sign-in" error code to help us but rather the information message is again abstract, mentioning:
this is an interrupt that triggers device authentication when required due to a conditional access policy or because the application or resource requested the device id in a token yada yada.
Google searching the above, there is limited-to-none valuable information and nowhere something that helps you out solve it either on browser, protocol, web service or application level.
We have not configured any "conditional access policies" to begin with and we also cannot "decrypt" what the line "because the application or resource requested the device id in a token" technically means in order to do any configurations/adjustments.
Some things I found by random after googling is to check if the TimeZone of the web server matches the user's laptop one, which is okay.
Another thing was to check with different browsers, Edge, Chrome and Opera, clear cache/history before any new attempt after minor configuration changes to see if anything is amiss but to no avail so far.
I have also enabled the configuration parameter "QBM\DebugMode\OAuth2\LogPersonalInfoOnException" in order to check if I see any valuable logs in OneIM side but I cannot find any logs after the log-in attempt.
So, either I am searching inside the wrong folder which is "C:\inetpub\wwwroot\UserIDPortal\App_Data\Logs" or I need to do something more/different?
The thing is this should be fixed as soon as possible because it is on a production instance and we are unfortunately out of ideas at this point.
Any more ideas other than the ones provided above?
Thanks in advance.