Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Active Directory Reply URL not working as expected

Tags:

I have specified two URLs in my Azure Active Directory website configuration Reply URL. One to redirect to my localhost environment when I am running local code and one to redirect to my Azure hosted website when I am running the prod website. But Azure Active directory seems to be ignoring the setting. It only uses one or the other URL but not both. I saw a link describing the problem and a possible solution but it didn't work for me. The link is:

http://samritchie.net/2013/07/17/azure-ad-single-sign-on-with-multiple-environments-reply-urls/

How do I setup Azure Active Directory to redirect to appropriate environment?

like image 706
Yasir Avatar asked May 21 '15 21:05

Yasir


People also ask

How do you fix aadsts50011 the response URL specified in the request does not match the response urls configured for the application?

Resolution. To fix the issue, follow these steps: Ensure that the AssertionConsumerServiceURL value in the SAML request matches the Reply URL value configured in Azure AD. Verify or update the value in the Reply URL textbox to match the AssertionConsumerServiceURL value in the SAML request.

What is reply URL in Azure AD?

A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.

How do I change the response URL in Azure?

To set your reply URL in Azure:Select Azure Active Directory | App Registration, then select your app. Select Add a Redirect URI. Enter your reply URL in the Redirect URI field. Select Save.


1 Answers

You are not providing details about your implementation, but here is a solution for any case.

You could be using WIF config - which is entirely configuration in your web.cofing, or you could be using OWIN, where configuration is in your Config.Auth.cs file. In either way, the STS of Azure AD will only use the default reply URI, regardless of where the calls are coming from. You have to explicitly set ReplyUrl to instruct the Azure AD to return the user back to one of the registered reply URLs.

WIF solution

When you use WIF, your web config contains following section:

  <system.identityModel.services>     <federationConfiguration>       <cookieHandler requireSsl="true" />       <wsFederation passiveRedirectEnabled="true"                      issuer="https://login.windows.net/yourtenant.com/wsfed"                      realm="https://yourtenant.com/WebSingleTenant"                      requireHttps="true" />     </federationConfiguration>   </system.identityModel.services> 

which is a bit incomplere! You can add a reply to the wsFederation tag to instruct the Azure AD for the new reply URL:

  <wsFederation passiveRedirectEnabled="true"                  issuer="https://login.windows.net/yourtenant.com/wsfed"                  realm="https://yourtenant.com/WebSingleTenant"                  reply="http://any_registered_url/"                 requireHttps="true" /> 

Note that here you can only use a registered reply URLs.

To modify reply attribute you can safely use web.config transformations as you do for all your other deployment specific app settings and connection string.

OWIN Solution

When you use OWIN, you would have Startup.Auth.cs file, or your authentication configuration will be directly into your Startup.cs file. It would look something like the following:

    public void ConfigureAuth(IAppBuilder app)     {         app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.             AuthenticationType);          app.UseCookieAuthentication(new CookieAuthenticationOptions());          app.UseOpenIdConnectAuthentication(             new OpenIdConnectAuthenticationOptions             {                 ClientId = clientId,                 Authority = authority,                 PostLogoutRedirectUri = postLogoutRedirectUri             });     } 

Note the configuration settings for OpenIdConnect authentication. You can add a RedirectUri property to instruct where to redirect the user to:

        app.UseOpenIdConnectAuthentication(             new OpenIdConnectAuthenticationOptions             {                 ClientId = clientId,                 Authority = authority,                 PostLogoutRedirectUri = postLogoutRedirectUri,                 RedirectUri = "any_registered_redirect_uri"             }); 

You can assign RedirectUri to a setting in Web.Config file, which also will you can handle using Web.Config transformations.

like image 113
astaykov Avatar answered Oct 15 '22 23:10

astaykov