August 2, 2018

Cannot delete Azure Active Directory due to existing Enterprise Applications

Problem

After deleting all required objects from Azure AD, so you could delete it, the “Delete directory” validator still says “Delete all enterprise applications”, as there are custom Enterprise Applications preventing directory deletion.

1

Solution

Usually the reason is Microsoft Visual Studio Team Services Enterprise application. You can go to Properties, and flip “Enable for users to sign-in” to No, and it helps in some cases.

2

However, sometimes it is not enough, but you need to go and delete all Enterprise Applications via PowerShell (although many of them are internal Azure apps).

Command for logging in and deletion is:

Connect-AzureAD –TenantID <TENANT_ID>
#repeat the following line for EACH Enterprise Application, some will throw error, but ignore it
Remove-AzureADServicePrincipal –ObjectId <OBJECT_ID_OF_ENT_APP>

Then with your web browser, log out from the Azure portal, and log back in, and you should be able to delete the Azure AD using browser.

Do note that Get-AzureADServicePrincipal | Remove-AzureADServicePrincipal didn’t work for some reason, and I needed to do the removal one by one.

June 12, 2018

Suomi.fi e-identification using Auth0

As it states on the Suomi.fi e-Identification service page, “Suomi.fi e-Identification enables the citizens of Finland and the European Union to be recognized in a safe way by using various identification media such as bank-id and mobile certificates.”

Do note that the e-identification service is not for private sector use, so it’s only for governmental authorities, agencies and institutions, courts of law and other judicial bodies.

How to configure suomi.fi e-identification for Auth0 and test it towards their test environment? Let’s see.

  1. Register for Auth0 tenant (https://auth0.com), Trial will work just fine for this test scenario
  2. Add suomi.fi as SAMLP Identity Provider at Connections –> Enterprise –>SAMLP Identity Provider

    image
  3. Type in Connection name. It can be anything, but I suggest to keep it short and without special characters. I call it suomi-fi-test
  4. For Sign In URL, type in the POST signin URL endpoint of suomi.fi test environment:
    https://testi.apro.tunnistus.fi/idp/profile/SAML2/POST/SSO
  5. For X509 Signing Certificate upload the suomi.fi (which is IdP in this case) public key, so basically suomi.fi will sign the outgoing messages with their private key, and here you define the corresponding public key to verify the message signature.

    You can get the certificate from suomi.fi metadata URL at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml. Paste X509Certificate string into suomifitest.txt file, rename it into suomifitest.cer, and upload to Auth0.

    image
  6. Sign Out URL, add the Single Log Out URL of suomi.fi:
    https://testi.apro.tunnistus.fi/idp/profile/SAML2/POST/SLO
  7. User Id Attribute you can decide what user data returned by suomi.fi is considered as the user identificator in Auth0, I’m using urn:oid:1.2.246.21, which is the National Identification Number of the user. You can find the other fields at https://esuomi.fi/palveluntarjoajille/tunnistus/tekninen-aineisto/tunnistetusta-kayttajasta-valitettavat-attribuutit/.
  8. Enable Sign Request, and download the certificate, you will use that later.
  9. Sign Request Algorith, set to RSA-SHA256.
  10. Sign Request Digest Algorithm, set to SHA256.
  11. Protocol Binding, set to HTTP-POST.
  12. Request Template you can leave as-is.
  13. On the Mappings tab (at the top), I map user name details so user list in Auth0 is more convenient to manage:
    {
       "name": "urn:oid:2.16.840.1.113730.3.1.241",
       "given_name": "urn:oid:2.5.4.42",
       "family_name": "urn:oid:2.5.4.4"
    }

That was easy, right? Final step is to contact suomi.fi and let do some paperwork, most impotantly from a technical perspective is to send them description of your service, i.e., the SAML Metadata.

For that you will need to decide what authentication methods you want to support (bank, mobile, etc.), what user details you would like to get back from suomi.fi after authentication (e.g., National Id of the user, name, address). You will also need to include the public Auth0 signing certificate you downloaded earlier in step 8.

EntityID, SingleLogoutService, AssertionConsumerService, and other details you can get from Auth0 Setup Instructions page by clicking on the Pen button after creating the Enterprise Connection.

image

NOTE! Before sending the metadata to suomi.fi, you should validate it at https://www.samltool.com/validate_xml.php by pasting the metadata into the XML field, selecting Metadata for XSD.

image

After that you’re all set and can test the authentication by pressing the PLAY button next to the Enterprise Connection, and you should find yourself from the authentication method selection screen, and eventually back in Auth0.

April 26, 2018

SharePoint: Setting person field default values in “Column default value settings”

Problem

SharePoint doesn’t allow setting person field default values in “Column default value settings” of a list, in fact, it doesn’t even show the person type fields in the “Column default value settings” screen.

Solution

Using browser, you cannot do it, but modifying /yourlist/forms/client_LocationBasedDefaults.html using SharePoint Designer or programmatically makes it possible. Just put in the full user identity claim, below sample is from SharePoint Online.

<DefaultValue FieldName="MyPersonFieldName">i:0#.f|membership|firstname.lastname@mydomain.onmicrosoft.com</DefaultValue>

SharePoint: Multiple default values using “Column default value settings”

Problem

SharePoint doesn’t allow selecting multiple default values in “Column default value settings” of a list, even though the column in question is choice and allowing multiselect.

Solution

Using browser, you cannot do it, but modifying /yourlist/forms/client_LocationBasedDefaults.html using SharePoint Designer or programmatically makes it possible. Just use format ;#CHOICE1;#CHOICE2;#, e.g.,

<DefaultValue FieldName="MyMultiChoiceFieldName">;#Valintatalo;#Citymarket;#</DefaultValue>

SharePoint: Setting list field default and calculated values using PnP JS

Question

How to set list field default and calculated values using PnP JavaScript?

Solution

For default values:

list.fields.getByTitle("ProjectName").update({ DefaultValue: "some default value"});

For calculated values:

list.fields.getByTitle("ProjectName").update({ DefaultValue: "=\";#choice a;#choice b;#\""});

For calculated values it looks a bit nasty on SharePoint Online modern libraries, but filtering seems to work, as well as modifying choice selection. It looks and works nicely on classic side, although default value selection remains on Choice radio button.

Classic
imageimage
Modern
image

April 23, 2018

SharePoint: Yet another reason for ‘The issuer of the token is not a trusted issuer’

Problem

Was creating custom STS, and no matter what I did, I always got the very common ‘The issuer of the token is not a trusted issuer’ error after successfully authenticating and getting redirected back to SharePoint.

Full error:

Application error when access /sites/somesite/_layouts/15/Authenticate.aspx, Error=The issuer of the token is not a trusted issuer. 
  at Microsoft.SharePoint.IdentityModel.SPLocalIssuerNameRegistry.GetIssuerName(SecurityToken securityToken, String requestedIssuerName)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   
  at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)   
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Solution

Or one of the many solutions to this generic error was to redirect users to correct address in SharePoint after authentication. In my code, the scope.ReplyToAddress ended up being something like

/sites/somesite/_layouts/15/Authenticate.aspx?Source=/sites/somesite.

which was obviously wrong, as replies need to go the /_trust/, so instead using

/_trust/default.aspx

as reply address fixed the issue.

And, when we’re talking of SharePoint, it doesn’t automatically include the wreply parameter in authentication flow, so enable that in your Trusted Identity Token Issuer properties like this:

$ap = Get-SPTrustedIdentityTokenIssuer -Identity "STS-Dev"
$ap.UseWReplyParameter=$true
$ap.Update()

So finally in your custom STS GetScope method, you can just do:

scope.ReplyToAddress = request.ReplyTo;

March 22, 2018

Adding divider when programmatically creating Office UI Fabric IContextualMenuItem[]

Question

When declaratively creating Context menu items, you can add divider using

  <li class="ms-ContextualMenu-item ms-ContextualMenu-item--divider"></li>

How to add it when programmatically creating array of IContextualMenuItems?

Solution

Use itemType: ContextualMenuItemType.Divider, like this

const items: IContextualMenuItem[] = [];
items.push( {
    key: "divider1",
    itemType: ContextualMenuItemType.Divider
} );