To read information via the Graph API from our Azure environment I used Microsoft.Identity.Client library (version 4.18) to authenticate users. Net framework 4.8 in the background.
This works perfect for some time but now a Conditional Access policy was enabled and the following call ends in an exception.
authResult = Await PublicApp.AcquireTokenByIntegratedWindowsAuth(m_scopes).ExecuteAsync(CancellationToken.None).ConfigureAwait(False)
Exception: AADSTS53001: Device is not in required device state: domain_joined. Conditional Access policy requires a domain joined device, and the device is not domain joined.
dsregcmd /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
From my point of view my device is domain joined and there is no reason to block this access.
Same pc as before. Can be tested in parallel. App used with a user without conditional access works. App used with a user who has an conditional access policy assigned fails.
Any idea what I have to change to run my call also with Conditional Access enabled?
Related
In my application, I am getting an access token via ADAL's acquireTokenSilent() for one resource, which succeeds, and then I try to get an access token for another resource and it says it was not found, and hence I have to call the API to explicitly prompt for credentials. This is a problem since then the user has to login twice with the same credentials in order to access two different resources.
I am using the same authority for each resource. Here is the message that shows there is no hit in the cache for the second resource.
May 4 13:22:37 iPad MyApp[290] : ADAL 2.4.1 iOS 10.2.1 [2017-05-04 20:22:37 - XXXX] INFO: No items were found for query: (resource https://MYRESOURCE + client + authority https://login.windows.net/common)
So my question is, under what circumstances will tokens be shared across resources, and is there any special allowances (ways to use the APIs) which allow this?
If you are building two native clients (public clients) and you want to enable single sign on across the two, one option is to share the App ID between the apps versus passing the actual token from one service to another service.
For example lets say your company name is Contoso. You have a Calendar Mobile App, and a Document Editor App.
You can create a single Native Client Application with:
A common application name, like "Contoso Apps"
Redirect URIs for both apps
Permissions required for the sum of the two applications
Then when a user signs into either application, they will see a login screen with the generic name "Contoso Apps", and prompted to consent to permissions for both apps at the same time. Now this might be a little bit of a bad experience, since the permissions of the two will probably be more than the individual permissions required, but that could be fixed in the future with Incremental Consent.
Then assuming you are using our authentication libraries which automatically caches the access tokens, when the user opens the second application, they will not be prompted to consent because you already have a token cached for that Application ID.
This obviously is not the best solution, but one that has been used in the past for large enterprise applications.
I'm using the Swift AWS Mobile Hub Helper to build my iOS app and connect to my DynamoDB database. I can see that after logging in using a Facebook SignInProvider I'm getting an assumed role arn for an authorized role for the table I'm trying to connect to, but when I try to use the load method on my DynamoDBObjectMapper I get an error telling like this:
is not authorized to perform: dynamodb:GetItem on resource
I tried downloading a new base app from the mobile hub page and making no other alterations but to point it to the new table but it had the same error. My colleague is building an android version of our app and he is able to connect to the database and he says that he made no changes to how he connects so I'm unsure as to what is causing the error.
EDIT: I've been looking at the federated identity pool that I'm ostensibly being assigned and the identity id that cognito is assigning my device (the simulator) is appearing there if I search for it with the dataset that my code is creating.
For each table in your Mobile Hub app, Hub creates an IAM role policy, and attaches it to the policy your users assume. If you look under your auth/unauth roles for the app (it will have the Mobile Hub project name in it). You should see a list of attached policies. One of those policies will be for the table you created in Hub. If you want that policy to have expanded capabilities, or in your case give access to a different table. You will either need to edit the policy or create a new policy.
A client has been developing a c# MVC program to communicate with the D2L platform using the Valence extensibility libraries. They are able to authenticate their user Id with the platform when registering a new app. However they are facing a problem with the ‘whoami’ API call.
According to the ‘basic’ program in Github, there is a session variable called “valenceUserContext” which get values from the following command after authenticating with the platform.
Session["valenceUserContext"] = vAppcontext.CreateUserContext( Request.Url, vHost );
Unfortunately there were no values returned from the above command (Error is cannot peform binding on a null reference). Do they have to set permissions explicitly for this call in order to get the necessary values returned to the session variable?
There's no mention of user privacy controls for this route in the documentation. There's an API Test Tool that can be used to check the Host, Port, App id, and key. If that works for your client, they should double check these variables in their configuration.
ParseClient.Initialize("id", "key");
//get the publish instance.
string publishInstanceId = msg.Split(':')[1];
var getPublishQuery = ParseObject.GetQuery("PublishInstance");
getPublishQuery.GetAsync(publishInstanceId).Wait(); //Exception raised here - System.AggregateException - Unauthorized.
My App ID and Keys are valid and I've checked it thrice. I have also used Master Key, CLient Key as well as .NET key. None of them work.
This code runs in a worker role in Windows Azure Cloud Services.
Im using 1.2.16 version of PArse .NET SDK.
Is your PublishInstance set to allow anonymous access? From the looks of the above you're not logging in, so you could be getting that error due to permissions.
Personally I would suggest creating a service account and logging in using that so you can lock your permissions down.
I'm just getting started with D2L and am running into problems.
On the "Getting Started" page, I have completed the first three steps:
1) Acquire an App Key/ID pair from D2L - I have received the App ID and App Key
2) Create a test account in your host LMS - I have created a new user account with the administrator role for testing
3) Choose a client library to work with - I am using the PHP SDK
4) Authenticate with your LMS - This is where I'm running into trouble.
When I use the Getting Started sample:
http://samples.valence.desire2learn.com/samples/GettingStartedSample/
And enter my host, app ID and app key and hit on the "Authenticate" button, I get a "This application is not authorized on this LMS instance. Ask your administrator to authorize this application" error.
I am an administrator on my D2L host and I'm not sure how to authorize my own app.
I have tried the following:
Navigating to the "Manage Extensibility" page because that's where D2L says my app should be located, but it isn't there.
Enabling the API (d2l.Security.Api.EnableApi) under the "DOME" page to no avail.
What am I doing wrong?
Based on your question and comments, there were two issues here:
First is that the list of App ID/Key pairs appropriate for your LMS get regularly fetched by your LMS from the D2L KeyTool service. The schedule for this fetching is once a day; accordingly, if the scheduled task isn't set up, or if your LMS isn't identifying itself properly to the KeyTool service, or if time hasn't yet elapsed after key granting to the next scheduled run of the task, the App won't yet be in your LMS' Manage Extensibility list. It sounds like you no longer have that issue.
Second is that the Valence Learning Framework APIs' authentication process (requesting and retrieving a set of user tokens for an LMS user) requires several LMS features to be properly set up: (a) the LMS must be configured to support Deep Linking, (b) the LMS must be set up to handle the ?target= parameter on incoming client URL requests, and curate that parameter throughout the user authentication process.
In cases where your LMS is not doing the user authentication but depending upon another, third-party IDP (like Shibboleth), any ?target= parameter passed into the login process must be taken care of by the IDP and properly handed back to the LMS after user authentication. In a situation where you have multiple redirections occurring during user authentication, this can involve successive generation of a target parameter, and each generation must re-URL-encode the previous request URL in its entirety (like sticking an envelope inside another envelope, inside yet another envelope).
If your LMS is not properly configured to support these two points, which you might not notice during other operations, then client calls to the Learning Framework APIs won't work because the calling client won't be able to fetch back a set of user tokens.
To solve the second of these issues, you may have to contact D2L's Customer Support desk -- they can verify, and adjust as necessary, the LMS configuration part of this authentication chain. If you're integrating your LMS with other third-party IDP components not administered or deployed by D2L, then you might also need to adjust their configurations: D2L can likely advise on what needs to be done there (curate the target parameter on URls), but cannot adjust the configuration for you in those cases.