OIDC/OAUTH with Windows SSO Realm

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth Idp Version affected: All


    Description:

    This article will show how to allow access to the OIDC/OAuth Endpoints on a Windows SSO Realm

     

    Cause

    When you enable windows SSO, it enables it for the entire realm. This works fine for the Authorized/OidcAuthorize.aspx as the WindowsSSO credentials are passed there.

    What it doesn't work well for are the other end points
    https://.../secureauth1/oidctoken.aspx
    https://.../secureauth1/oidcuserinfo.aspx
    https://.../secureauth1/oidcendsession.aspx
    https://.../secureauth1/oidcchecksession.aspx
    https://.../secureauth1/.well-known/openid-configuration
    https://.../secureauth1/OAuthintrospect.aspx
    https://.../secureauth1/OAuthRevocate.aspx

     

    Resolution:

    When Windows SSO is enabled, it protects all the endpoints which isn't helpful for OIDCToken.aspx etc due to the way they are reached.

    1. Open IIS and navigate to the realm.

    2. Click content view

    3. Select the endpoint eg, OIDCToken.aspx

    4. Click switch to feature view (On the right side of the page)

    IIScontent.PNG

    5. Click Authentication

    6. Change the Authentication to anonymous as per screenshot

    authentication.PNG

    7. Repeat for the other endpoints (apart from OidcAuthorize.aspx)

    8. For help with accessing this endpoint https://SecureAuthIdP/SecureAuth#/.well-known/openid-configuration see this article:

    https://support.secureauth.com/hc/en-us/articles/360019885831-OAuth2-OIDC-URI-generates-a-401-error-on-WinSSO-realms



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    1 out of 1 found this helpful

    Comments

    1 comment
    • In some scenarios, the following files also needed to be switched to Anonymous Authentication:
      MFA.WebControls.dll
      SecureAuth.Foundation.dll

      If not, the IdP will start capturing the user ID in the domain\username format. When sent to the provider, the IdP will not find a match since it will be querying for "domain\username" when the user object exists as "username" in the data store.

      0
      Comment actions Permalink

    Please sign in to leave a comment.