Azure AD B2C - Which Protocols/Cipher Suites does the Claims Provider support for outbound HTTPS connections?

0
votes

Via IEF Custom Policy, Claims Provider -> "OpenIdConnect" Technical Profile's Metadata is pointing to a 3rd party IDP's OIDC Metadata endpoint.

When running the policy, Azure ADB2C custom policy returns:

“Unable to connect to the metadata endpoint”

with 2nd exception

"The request was aborted: Could not create SSL/TLS secure channel."

{
    "Kind": "FatalException",
    "Content": {
      "Time": "0:00 PM",
      "Exception": {
        "Kind": "Handled",
        "HResult": "80131500",
        "Message": "Unable to connect to the metadata endpoint 'https://<redacted>/.well-known/openid-configuration'",
        "Data": {
          "IsPolicySpecificError": false,
          "uri": "https://<redacted>/.well-known/openid-configuration"
        },
        "Exception": {
          "Kind": "Handled",
          "HResult": "80131500",
          "Message": "An error occurred while sending the request.",
          "Data": {},
          "Exception": {
            "Kind": "Handled",
            "HResult": "80131509",
            "Message": "The request was aborted: Could not create SSL/TLS secure channel.",
            "Data": {}
          }
        }
      }
    }
  }

The since the idp only supports a single cipher - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) this might be the limiting factor. Is there a list of support SSL/TLS protocols and ciphers known or published by AAD / AAD B2C documentation?

SSL cert is valid and has a chain to a major trusted cert authority.

2
azure-ad-b2c

2 Answers

0
votes

The metadata endpoint must be secured by a certificate signed by a valid CA.

0
votes

Adding additional TLS 1.2 ciphers to the IDP "resolved" the issue - still unclear why this change actually fixed anything, as sporadic support for a cipher seems to indicate an issue in either the b2c farm outbound cipher support -or- the inbound cipher support at the IDP ... have done diligence confirming the IDP offered up that same cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) on every connect.

Ciphers added to IDP:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA(0x35)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)