On-Prem ADFS Authentication with username and password to Azure AD (SharePoint-Online)

0
votes

I want to authenticate a service user with username and password against a On-Prem ADFS Server 2019. Then use the provided token to access an SharePoint-Online site in the context of the user. This should be the Single-Sign-On(SSO)-Flow. In my tries I get the "AADSTS50013: Assertion failed signature validation"-error.

The On-Prem app registration is configured like following: ADFS On-Prem App Registration

Then I use the MSAL C# library to get the token like following:

var authority = "https://adfs.MYCOMPANY.net/adfs";
IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientID)
                              .WithAdfsAuthority(authority)
                              .WithTenantId(tenantID)
                              .WithRedirectUri(RedirectUri)
                              .Build();
// convert password to SecureString
var securePassword = new SecureString();
foreach (char c in password) securePassword.AppendChar(c);
// Request Token 
var result = app.AcquireTokenByUsernamePassword(scopes, username, securePassword).ExecuteAsync().Result;
var token = result?.AccessToken;

This will result in an "valid" token issued by the On-Prem ADFS (jwt.io screenshot):

Token screenshot

The next Step is to access the SharePoint-Online resource with this token. But this will result in an error. For testing purpose I send an request against https://TENANT.sharepoint.com/_api/web/currentuser with the header "Authorization=Bearer eyJ0...", but it fails with "Token contains invalid signature".

So I also tried converting the SAML-Token into a different JWT Token by sending a request to https://login.microsoftonline.com/7fc3a154-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/token. I created a separate app registration in Azure for this request, but I couldn't enable SSO on the app registration like described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso. So the following request still gives me an "AADSTS50013: Assertion failed signature validation". Saml token convert

My thoughts were, that the On-Prem AD is synchronized with the Azure AD. But the error looks like I need to add an additional Sign-Certificate to the Azure AD.

  1. Do I need to configure this certificate separately in Azure?
  2. Or do I need to convert this Saml-Token in a different one?
1
c#azure-active-directorysingle-sign-onsaml-2.0adfs

1 Answers

0
votes

First Problem with my approach is the use of an On-Prem App registration. We want to access a resource in Azure so we need an App registration in the Azure AD.

The second Problem seems like to be a problem with the MSAL library, because the JWT token we get via the WithAdfsAuthority(authority), cannot be used for authentication against Azure. Therefore we manually need to first get a SAML token from the on-Prem ADFS. Then use the SAML token, which is formatted in XML and send this to $"https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token". I found a blog where all these steps are documented in Detail: https://blogs.aaddevsup.xyz/2020/06/using-postman-to-request-an-azure-ad-token-via-saml-assertion-grant-flow/