Visit Freshworks.com Visit Freshworks
Solved

AD B2C integration in FreshWorks SSO with OIDC - Login error

  • 29 January 2021
  • 11 replies
  • 799 views
saravana
Rank

I am integrating AD B2C as Identity provider for the FreshWorks by configuring SSO with OIDC in the Freshworks.

Configuration done in the Azure AD B2C:

  1. Registered an application in the AD B2C Tenant

    a. Get the redirect URL from Freshworks SSO with OIDC and added in the Redirect URI in the registered application

    b. Id Tokens and Access Tokens check box is selected.

    c. Enabled the public client.

    d. Generate the client secret for the application

  2. Added Microsoft as external IdP in the AD B2C tenant. Only one external IdP is enabled, local account is not enabled.

  3. Created a SignupSign User flow

  4. Tested the User flow, able to signup and sign-in using Microsoft Account (personal account). JWT token is generated with the claims sub, email, name.

Configuration done in the SSO with OIDC:

  1. Get the ClientId and Client Secret of the Application registered in the AD B2C tenant and added in the SSO with OIDC configuration dialog
  2. Navigate to AD B2C signup sign-in user flow OIDC configuration url and get the authorization_endpoint and token_endpoint, added those two in the SSO with OIDC configuration dialog
  3. set the scopes as openid,email,profile

After doing all the above configurations, a new button is added in the freshworks login page. I have clicked that button, it navigates to the microsoft login page, after providing credentials and accepted the consent, it shows a form with profile information. On clicking the continue button an account is created in the AD and redirected to the Freshwork page. It shows the below error in the freshworks login page.

The authorization code request is working, AD B2C post the authorization code to the freshwork redirect url. I hope the issue is with the get access token endpoint URL. I have tried the Get access token endpoint from the postman using the authorization code received from the first request, it gives the access token.

 

Please let me if there is any issue in the configuration. If you need additional details, please let me know. Help me to resolve this issue.

icon

Best answer by hemanth.ramya 8 April 2021, 14:13

View original

11 replies

hemanth.ramya
Rank
Userlevel 5
Badge +9

Hi @saravana,

 

Apologies for the delay in getting back here. We can see that your query on the Single Sign-on feature has been addressed by our support team via a ticket. Please feel free to write to support@freshdesk.com for any further queries in the future and we would be happy to help! :) 

 

Could you please let us know if you have any issues with configuring Single sign-on for your Freshdesk account @geebranz?

 

Cheers,

Freshdesk Community Team 

Ramya, Freshworks Community
sahilshah50
Rank

@saravana @hemanth.ramya 

I am facing the exact same error integrating Freshworks SSO with Azure B2C.

What is the fix here?

saravana
Rank

@saravana @hemanth.ramya 

I am facing the exact same error integrating Freshworks SSO with Azure B2C.

What is the fix here?

Add the Application Client id (Application registered in the B2C AD tenant) in the Scope field in Freshdesk OAuth configuration.

sahilshah50
Rank

Thanks @saravana

The fix worked. This seriously needs to be documented somewhere.

hemanth.ramya
Rank
Userlevel 5
Badge +9

Thanks for sharing your insights, @saravana

 

Glad to know that the issue is fixed. @sahilshah50. Sure, we have noted your feedback at our end. Feel free to drop a note here or write to support@freshdesk.com for any further queriesand we would be happy to help!

 

Cheers,

Freshdesk Community Team  

Ramya, Freshworks Community
arhammini54
Rank

The postman screenshot mentioned is showing the IDToken and your freshworks application expect access token. Could you please validate the user flow with access token settings and also use the postman tool to get the access token. Please follow the below document for more requests.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect/Website

Please share fiddler trace to investigate more

techlogic
Rank
Badge +1

I am having similar issues, Freshworks support are sending me round in circles…
 

I understood the fix to be add the App ID (GUID ?!) to the scopes field as an extra scope to request?

 

Any help appreciated.

 

I get this error after successful login:

Invalid token or user info response: could not extract identity from token

techlogic
Rank
Badge +1

After much investigation I found out the following, I could not get OIDC to work but got OAuth2 to work.

Azure B2C does not have a user info endpoint.

The Freshdesk app expects a user info endpoint and to get the following values as a minimum:

  • sub
  • email

Returned as a JSON string.

I used the starter pack here:

https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccounts

Then followed this guide to add the userinfo endpoint to it:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy

However, you need to adjust the returned values as the example uses a param that Freshdesk does not expect, the example returns ‘signInNames.emailAddress’ instead of ‘email’.

In the policy you need to adjust the input to change the output (really confused me that part).

The example claims provided are shown as this;

        <InputClaims>
          <InputClaim ClaimTypeReferenceId="objectId"/>
          <InputClaim ClaimTypeReferenceId="givenName"/>
          <InputClaim ClaimTypeReferenceId="surname"/>
          <InputClaim ClaimTypeReferenceId="displayName"/>
          <InputClaim ClaimTypeReferenceId="signInNames.emailAddress"/>
        </InputClaims>

Ensure you change them to this:

        <InputClaims>
          <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
          <InputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
          <InputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
          <InputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
          <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
        </InputClaims>

This then returns the following response from the newly created userinfo endpoint:

{
    "sub": "12a2d167-53f1-416d-93df-cdf813392bf3",
    "given_name": "First",
    "family_name": "Last",
    "name": "First Last",
    "email": "first.last@example.com"
}

The application now can take that information and create the contact in Freshdesk and then let them login.

techlogic
Rank
Badge +1

For completeness the following Freshdesk OAuth settings were used, ensure you provide the GUID of the application ID from the B2C tenant in the scope.

 

techlogic
Rank
Badge +1

You can get the auth, token and user info endpoint URLs for your custom policy from the URL of.

 

https://YOURTENANT.b2clogin.com/YOURTENANT.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_SIGNUP_SIGNIN

vjhjh
Rank

It seems like the issue you're encountering might be related to the configuration of the access token endpoint URL in the SSO with OIDC settings. Here are a few steps you can take to troubleshoot:

  1. Double-check that the access token endpoint URL obtained from the AD B2C signup sign-in user flow OIDC configuration matches the one configured in the SSO with OIDC settings in Freshworks.

  2. Ensure that the scopes configured in Freshworks match the ones defined in the AD B2C signup sign-in user flow OIDC configuration (openid, email, profile).

  3. Verify that the Client ID and Client Secret configured in Freshworks match the ones obtained from the application registered in the AD B2C tenant.

  4. Test the access token endpoint URL using tools like Postman to ensure it returns a valid access token when provided with the authorization code received from the initial request.

  5. Check for any errors or logs in the Freshworks configuration that might provide more insight into the issue.

By following these steps, you should be able to identify and resolve the issue with the access token endpoint URL configuration in Freshworks for SSO with OIDC integration with Azure AD B2C.

Reply


Terms of UseCookie settings