Azure AD is getting URL not application identifier

Question

Azure AD is getting URL not application identifier

frank42195 opened this issue a year ago · comments

I created an enterprise application but am getting error AADSTS700016 saying that the application identifier was not found in the tenant's directory. It is giving the URL of my web site as the application identifier, not the actual application identifier. I see where the Directory (tenant) ID is in the SSO URL:
https://login.microsoftonline.com//saml2

I have tried putting the application id in the field "Identity Provider Entity ID", but that isn't showing up in the error message. The URL for my website is.

frank42195 · Answer 1 · Mon Apr 10 2023 00:36:26 GMT+0800 (China Standard Time)

Where are you finding these settings? I don’t see them on the configuration page for the plugin. From: Tobiko88 ***@***.***> Sent: Sunday, April 9, 2023 4:44 AM To: derricksmith/phpsaml ***@***.***> Cc: Frank Fernandez ***@***.***>; Author ***@***.***> Subject: Re: [derricksmith/phpsaml] Azure AD is getting URL not application identifier (Issue #131) had the same Problem. change SSo Type to Generic and change the common in the Authorize URL and AccessToken URL to your Azure Tenant ID. Then it should work. It Would be very nice to add this to the Wiki. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/derricksmith/phpsaml/issues/131*issuecomment-1501109026__;Iw!!K-Hz7m0Vt54!g3dXBIdwpfZgkVVnk12-zHK78r0guOSvoR28YSnBgEZGceJqSa7ZE8qkjG369gTXD4GqknpvwtxL7DcUz4ia$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AHCLANFHJB73LPFACCYJH4DXAKOHDANCNFSM6AAAAAAWTLMXDI__;!!K-Hz7m0Vt54!g3dXBIdwpfZgkVVnk12-zHK78r0guOSvoR28YSnBgEZGceJqSa7ZE8qkjG369gTXD4GqknpvwtxL7Lw1Btmk$>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

frank42195 · Answer 2 · Mon Apr 10 2023 08:20:20 GMT+0800 (China Standard Time)

To be specific, the PHP SAML configuration page has these settings: Plugin Enforced, Strict, Debug, Just In Time Provisioning, Service Provider Certificate, Service Provider Key, Name ID Format, IdP Entity ID, IdP SSO URL, IdP Single Logout Service, IdP X509 Certificate, Requested Authn Context, Req Ath Comparison, Encrypt NameID, Sign Auth Reqs, Sign Logout Reqs, Sign Logot Response.

The Azure tenant is our university and I am accessing the IdP SSO login URL as https://login.microsoftonline/put-tenant-id-here/saml2. I have tried putting the application ID in the IdP entity ID, but it still is using the URL of our web site.

Tobiko88 · Answer 3 · Mon Apr 10 2023 18:01:59 GMT+0800 (China Standard Time)

Hi Frank, sorry i delted my poste because i mixed up the two Plugins

phpsaml and singlesignon (from Edgard Lorraine Messias)

I figured it out how it works, i only have one problem with the transport of the email-address for JIT

Have a look at the phpsaml.xml
https://github.com/derricksmith/phpsaml/blob/master/phpsaml.xml

there you can download the version 1.2.1 https://github.com/derricksmith/phpsaml/archive/1.2.1.zip

Put it in the plugins folder as "phpsaml" then you can install the Plugin and configure it.

I got the problem, that wasn't able to safe the settings from the configuration page. So i changed everything in the table "glpi_plugin_phpsaml_configs"

then u should have every information in the readme.md or in the wiki https://github.com/derricksmith/phpsaml/wiki

Now i get the error: "JIT Error: Unable to create user because missing claims (emailaddress)"

Tobiko88 · Answer 4 · Mon Apr 10 2023 19:16:20 GMT+0800 (China Standard Time)

Ok, i found my solution:

the Name ID Format must be set as Email Address and the Requested Authn Context to X509

Now it works as expected :)

frank42195 · Answer 5 · Wed Apr 12 2023 02:00:51 GMT+0800 (China Standard Time)

I am still getting the error that “ Application with identifier <web page url> was not found in the directory <university name>”. Nowhere in the table glpi_plugin_phpsaml_configs is there the web page’s url, so is it an httpd module that is misconfigured? I am using the OpenID Connect client Apache module. Also the application ID in Azure is a GUID which I assume is the Identity Provider entity ID. I would expect the error message from Azure to list the GUID as not being found. ~ Frank From: Tobiko88 ***@***.***> Sent: Monday, April 10, 2023 3:02 AM To: derricksmith/phpsaml ***@***.***> Cc: Frank Fernandez ***@***.***>; Author ***@***.***> Subject: Re: [derricksmith/phpsaml] Azure AD is getting URL not application identifier (Issue #131) Hi Frank, sorry i delted my poste because i mixed up the two Plugins phpsaml and singlesignon (from Edgard Lorraine Messias) I figured it out how it works, i only have one problem with the transport of the email-address for JIT Have a look at the phpsaml.xml https://github.com/derricksmith/phpsaml/blob/master/phpsaml.xml<https://urldefense.com/v3/__https:/github.com/derricksmith/phpsaml/blob/master/phpsaml.xml__;!!K-Hz7m0Vt54!mbnzUOVxotTt_Xdlc2z2b_IVpkfNpXB26FxwUvd2O3nKrbDt4YHuceLGMzLZ7tMvSBR2BKbhO_4Iw7YljAp0$> there you can download the version 1.2.1 https://github.com/derricksmith/phpsaml/archive/1.2.1.zip<https://urldefense.com/v3/__https:/github.com/derricksmith/phpsaml/archive/1.2.1.zip__;!!K-Hz7m0Vt54!mbnzUOVxotTt_Xdlc2z2b_IVpkfNpXB26FxwUvd2O3nKrbDt4YHuceLGMzLZ7tMvSBR2BKbhO_4Iw4MEj4U1$> Put it in the plugins folder as "phpsaml" then you can install the Plugin and configure it. I got the problem, that wasn't able to safe the settings from the configuration page. So i changed everything in the table "glpi_plugin_phpsaml_configs" then u should have every information in the readme.md or in the wiki https://github.com/derricksmith/phpsaml/wiki<https://urldefense.com/v3/__https:/github.com/derricksmith/phpsaml/wiki__;!!K-Hz7m0Vt54!mbnzUOVxotTt_Xdlc2z2b_IVpkfNpXB26FxwUvd2O3nKrbDt4YHuceLGMzLZ7tMvSBR2BKbhO_4IwxJReb-c$> Now i get the error: "JIT Error: Unable to create user because missing claims (emailaddress)" — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/derricksmith/phpsaml/issues/131*issuecomment-1501630779__;Iw!!K-Hz7m0Vt54!mbnzUOVxotTt_Xdlc2z2b_IVpkfNpXB26FxwUvd2O3nKrbDt4YHuceLGMzLZ7tMvSBR2BKbhO_4Iwygl96NM$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AHCLANFPIWYPZK6OWZW5Y7DXAPLCFANCNFSM6AAAAAAWTLMXDI__;!!K-Hz7m0Vt54!mbnzUOVxotTt_Xdlc2z2b_IVpkfNpXB26FxwUvd2O3nKrbDt4YHuceLGMzLZ7tMvSBR2BKbhO_4IwyS_8OwK$>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

DonutsNL · Answer 6 · Sun Apr 30 2023 03:33:22 GMT+0800 (China Standard Time)

This is the most basic Azure configuration...

DonutsNL · Answer 7 · Tue May 30 2023 20:39:44 GMT+0800 (China Standard Time)

@derricksmith maybe we should post this or a simular image in the readme with some configuration comments. for instance what bindings to use (if someone needs to configure them manually).

No more activity, I suggest we close this issue.