SecureAuth Idp Version affected: All
Description:
This article will show how to allow access to the OIDC/OAuth Endpoints on a Windows SSO Realm
Cause:
When you enable windows SSO, it enables it for the entire realm. This works fine for the Authorized/OidcAuthorize.aspx as the WindowsSSO credentials are passed there.
What it doesn't work well for are the other end points
https://.../secureauth1/oidctoken.aspx
https://.../secureauth1/oidcuserinfo.aspx
https://.../secureauth1/oidcendsession.aspx
https://.../secureauth1/oidcchecksession.aspx
https://.../secureauth1/.well-known/openid-configuration
https://.../secureauth1/OAuthintrospect.aspx
https://.../secureauth1/OAuthRevocate.aspx
Resolution:
When Windows SSO is enabled, it protects all the endpoints which isn't helpful for OIDCToken.aspx etc due to the way they are reached.
1. Open IIS and navigate to the realm.
2. Click content view
3. Select the endpoint eg, OIDCToken.aspx
4. Click switch to feature view (On the right side of the page)
5. Click Authentication
6. Change the Authentication to anonymous as per screenshot
7. Repeat for the other endpoints (apart from OidcAuthorize.aspx)
8. For help with accessing this endpoint https://SecureAuthIdP/SecureAuth#/.well-known/openid-configuration see this article:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
In some scenarios, the following files also needed to be switched to Anonymous Authentication:
MFA.WebControls.dll
SecureAuth.Foundation.dll
If not, the IdP will start capturing the user ID in the domain\username format. When sent to the provider, the IdP will not find a match since it will be querying for "domain\username" when the user object exists as "username" in the data store.
Please sign in to leave a comment.