Azure AD federated-authentication not working with Site core 9.1 Initial release , but same code and configuration woking with sitecore 9.0 update 1

Hi ,

 

we have configured federated-authentication in SiteCore 9.1 initial release  by following the steps available at 

https://labs.tadigital.com/index.php/2018/02/16/integrating-federated-authentication-for-sitecore-9-with-azure-ad/ 

http://blog.nikkipunjabi.com/2018/03/sitecore-federated-authentication-part-3-sitecore-user-and-claims-identity.html 

 

Now in sitecore 9.1 Initial release when I click on 'Sign-in with Azure Active Directory" its redirecting to Microsoft login page and also validating the user successfully, but once redirecting to my sitecore page its not opening the dashboard  or not logging to site core site, its because the user is not creating in sitecore.

but same configuration I tried with Sitecore 9.0 update 1 and update 2 its working fine and sitecore user is created and its opening the sitecore Dashboard.

 

So I checked the OWIN logs its showing me below logs

24824 13:17:12 WARN Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware - The nonce cookie was not found.
24824 13:17:12 ERROR Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware - Exception occurred while processing message:
Exception: Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException
Message: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Source: Microsoft.IdentityModel.Protocols.OpenIdConnect
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__1a.MoveNext()

 

Any help is much appreciated.

  • The login in Sitecore 9.1 is different than in 9.0
    In Sitecore 9.1, Sitecore Identity has introduced as default single sign-on mechanism across XM, XP, and XC. Sitecore Identity is backwards compatible with Sitecore Membership user storage and can be extended with other identity providers such as Azure AD, Auth0, and so on.​

    See doc.sitecore.com/.../configure-federated-authentication.html
    for setting up Sitecore 9.1 with Azure AD.
  • In reply to Jan Bluemink:

    Hi ,

    thanks for suggestion, finally I am able to resolve this issue with 9.1 . Actually this issue with latest Microsoft OWIN implementation the cookie are not maintained as I have made changes in custom pipeline code for 9.1 as below .

    public CustomAzureADIdentityProvider(FederatedAuthenticationConfiguration federatedAuthenticationConfiguration,ICookieManager cookieManager
    , BaseSettings Settings)
    : base(federatedAuthenticationConfiguration,cookieManager, Settings)
    {

    }

    also going through the below link I able to resolve my issue in sitecore 9.1

    stackoverflow.com/.../too-many-openid-nonce-cookies-cause-bad-request
  • In reply to Rajendra Patil:

    Hi Rajendra,

    I am stuck at the same position, for the first time when i am logging in using Azure AD in Sitecore 9.1(Initial Release), it sends me to the Sitecore CD page but when i come back and again click the Azure AD login button it logs me in into Sitecore with proper role. I checked the Owin logs and still i am getting the same error described below.

    Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware - The nonce cookie was not found.
    10276 09:31:40 ERROR Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenti
    cationMiddleware - Exception occurred while processing message:
    Exception: Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocol
    InvalidNonceException
    Message: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValid
    ationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonc
    e was not null. The nonce cannot be validated. If you don't need to check the no
    nce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonc
    e' is found it will be evaluated.
    Source: Microsoft.IdentityModel.Protocols.OpenIdConnect
    at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValid
    ator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
    at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValid
    ator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext valid
    ationContext)
    at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<
    AuthenticateCoreAsync>d__1a.MoveNext()

    Can you please share the code and configs which worked for you?

    Thanks,
    Rakesh
  • In reply to Rakesh Bhatt:

    Hi Rakesh,

    Actually its the issue in the OWIN implementation , you need to write custom code to maintain nonce cookie .
    with 9.1 Initial release OWIN is updated with new version , so you will get the error as "nonce cookie not found".

    you can refer below stackoverflow question for asp.net MVC

    stackoverflow.com/.../too-many-openid-nonce-cookies-cause-bad-request


    Also you can refer the code from the Github

    github.com/.../owin-cookie-saver


    Thanks & Regards,
    Rajendra Patil
  • In reply to Rajendra Patil:

    Hi Rajendra,

    Can you elaborate the steps that you have followed.

    regards,
    Rakesh