-
Notifications
You must be signed in to change notification settings - Fork 51
Using Azure B2C for multiple Domain based users #149
Comments
@LukeDuffy98 So the issue is the Learn LTI application is using the AAD to validate the user. From what I understand the students are in a different AAD? If this is the case you will need to assign all the users permissions to the app https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal |
Thanks Lee I think the issue here is also connected to this one: It appears that all users must exist as a regular or guest in my AAD to use the tool. |
@LukeDuffy98 what extension are you using for moodle? I would recommend the OpenID Connect extension to allow AAD user to auth to Moodle |
Hi Lee That's the plugin I am using. For good measure I just reinstalled it. For my own sanity s it true that all users must exist as a regular or guest in my AAD to use the tool ?? I'm not sure if I am trying to make something happen that just wont work. Thanks again |
@LukeDuffy98 so typically if you have two AAD which aren't related but want to auth users on a single app you would use Azure B2C on the App https://azure.microsoft.com/services/active-directory/external-identities/b2c/#overview you would then simply point your App Auth to use the B2C connector.. Is this what your doing? A Diag would help explain what your trying to do. |
@LukeDuffy98 see https://moodle.org/mod/forum/discuss.php?d=388317 you will need to install the Learn LTI Application into the Azure B2C so that the app can give access to the users of each AAD.. At present it looks like you have the app installed within only one tenant so users in the other tenant do not have access to the app. |
Hi Lee I don't know what I am missing to make B2C work with LTI. Thanks |
@LukeDuffy98 So which Dir is the App and App Service principal installed in? You need to register the Learn LTI in your B2C see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga |
Hi Lee I have tried for a few days now to see if I can make it work, but still no joy. The app and the app service principals are in the same directory. At a high level the steps are :
At this point any users in the B2C tenant can use the LTI tool no problem. Anyone outside still gets the error "Selected user account does not exist in tenant" I would really love some help to solve this. Thanks again |
@LukeDuffy98 the Stackoverflow explains the issues with app registrations and domains https://stackoverflow.com/questions/64365648/aadsts50020-user-account-does-not-exist-in-tenant |
@LukeDuffy98 In this guidance, we'll look specifically at using Azure AD for identity management. If you have on-premises Active Directory you can use Azure AD Connect to sync your on-premises Active Directory with Azure AD. If your on-premises Active Directory cannot use Azure AD Connect (due to corporate IT policy or other reasons), the SaaS provider can federate with the customer's directory through Active Directory Federation Services (AD FS). see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant |
@LukeDuffy98
In this case you have to add the user to the tenant that the application is hosted in. You can follow this document https://docs.microsoft.com/en-us/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#add-a-new-guest-user-in-azure-ad to add the user [email protected] as a Guest User to the tenant. And then you have to grant access to the application https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups#assign-users for the said user.
You can convert the application to accept users from multiple tenants. see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant |
OK so you simply need to edit this file Line 11 authority: to authority: see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant for other details |
@LukeDuffy98 There a few additional changes you will need to make this is a good overview video https://www.youtube.com/watch?v=Jfrp7DI7G0Q |
We have identified a work around which will solve your request on providing access to multiple domains which you own. But we do not recommend you undertake a security review before implementing this solution You will need to fork the repo and make the following changes on your fork end after cloning the repository and then deploy the solution from your forked repo.. Note – These steps are not a workaround for proper Multi-Tenant behavior. It is only a workaround for the above customer issue as the mentioned this in the comments - we use an entirely different azure tenet/account for our servers than from what we use to manage users. Steps: |
Hi @LukeDuffy98 , Would you be interested in testing out a change to the LTI that would support multi-tenant sign-on using Azure Business to Consumer? I'm part of a UCL team that has been working with Lee at Microsoft to support multi-tenancy. We are finalizing a forked repo and expect to have it ready for testing within 1.5 - 2 weeks (early August). We have done all our testing using Moodle which we have confirmed supports B2C authentication already. You will need We are scripting as much of the setup and configuration as we can. So we expect the total work on your end to be about than 3 -7 hours, obviously changing based on how much testing you do. If you are interested, I will reach back out on Github here when our changes are ready. We will have documentation ready and a form for you to fill out feedback on. We can also correspond on this issue thread if you have any issues, questions, or concerns. Best, Warren and the UCL Team |
Hi Warren
Yes I would love to help out.
|
Hi @LukeDuffy98 , Our change to the LTI to support Azure Business to Consumer is ready for others to test. It is working for us, so we'd love for you to check it as well and give us any feedback you have! If you have time in the next couple weeks to deploy and give us feedback, we should have time to make changes before our program ends. We have extensive readmes and documentation to support the workflow but at a high level:
You can put any feedback you have for us here, or if you'd prefer a online form we can create one!. We've also created a forked branch of a Moodle plugin to support B2C authentication with our custom policies that you can use to enable B2C authentication into Moodle. If you run into any trouble, please reach out to us and we can troubleshoot asynchronously or hop on a call! Best, Warren Ps our version currently makes the keyvaults without soft deletion or purge protection for easier deletion during testing. If you decided to move forward with this branch, we will be turning those protections back on later. |
Hi
I have had a go at setting it up today and have hot a roadblock. When users sign in, they get to the redirect url /auth/azureb2c/ but it has the following error:
I have checked my config multiple times, and am stuck and looking for any direction for troubleshooting.
|
Hi @LukeDuffy98 , If you'd like, we could jump on a Teams or Zoom call to take a look together. That might be the fastest option for resolving this. We are free the next hour, or could meet Tuesday Morning UK time or anytime Wednesday. Happy to set one up if that works for you! I can't actually see any error message in your github post. Not sure if pasting the error message failed, or if it just isn't rendering properly Best, Warren |
@LukeDuffy98 , if you also could upload the log and transcript file from your deployment we could take a look at that ahead of time. |
Thanks for your help @warrenbuhler A couple of errors appear. I have attached the log and transcript: Issue 1B2C STEP 1: Create AD applicationPlease login to your AD tenant for this subscription via the pop-up window that has launched in your browser During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): Issue 2 - Examples from AI knowledge base: az account list az account show https://docs.microsoft.com/en-US/cli/azure/account#az_account_set ============================================================= Issue 3STEP #12 - Installing the clientnpm WARN deprecated [email protected]: Please update to latest patch version to fix memory leak isaacs/node-lru-cache#227 Issue 4
Correlation ID: a2b84abf-03e4-4b80-b81f-1fcd3d36d62c
Transcript-09-08-2022-08-49-53.log |
Hey @LukeDuffy98 , We've taken a look and have some thoughts / suggestions. In short Issue 1: Our working deploy looks like this on the AD tenant - app registration "b2c_AD_app" - API permissions blade Can you check whether the status shows "Granted" Issue 2: Issue 3: Issue 4: It looks like you used: "user":{"name":"[email protected]","type":"user"} And you whitelisted: If the user is from a whitelisted tenant, then we will need to do more digging wih you. We will look into ways to make the error thrown more obvious. Best, Warren |
Thanks Warren. I ended up having to reset the AllowedUsers config setting to allow access to the platform settings. So all good now in accessing that. Now I'm back to the same place as the other night, when i attempt to login. I end up back at the redirect page https://xxx.com/auth/azureb2c/ with the following information (this is what didnt appear in the original email screenshot): Error in Azure AD B2C Connect. Please check logs for more information. More information about this error Debug info: |
Hey @LukeDuffy98 Just clarifying:
If so, would it be possible if you could send me the values you configured on the platform page/ moodle setup (here and here), Am currently looking into the issue in the codebase but would also be worth just verifying the values used in the setup of the environment. |
Hi Daniel Just sent you an email |
Thanks to @LukeDuffy98 for working with @warrenbuhler on the test AAD + B2C connectivity enhancement the team at University College London have this fork for testing https://github.com/UCL-MSc-Learn-LTI/Learn-LTI |
Confirmed the AAD + B2C features work by @LukeDuffy98 |
Hi
I am having issues trying to progress learner into the lti assignment. I have set up the course and added modules from MS learn without issue.
As a learner when i go to complete the work by clicking in the link
I then receive the following error
The user is signed in via Azure AD B2C Connect. The user is in a different tenant than our moodle.
If I use oidc OpenID Connect I receive an error
AADSTS50020
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account '[email protected]' from identity provider 'https://sts.windows.net/00000-8edb-4464-8adc-4611b76ffab1/' does not exist in tenant 'xxx' and cannot access the application 'xxxx-4ed0-4534-b51d-8850917a2dc2'(AAD Moodle) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The App registration is set up as multitenant
Short of adding every user as a guest account I dont know how to get past this issue.
Thanks
The text was updated successfully, but these errors were encountered: