June 12, 2018

Suomi.fi e-identification using Auth0

As it states on the Suomi.fi e-Identification service page, “Suomi.fi e-Identification enables the citizens of Finland and the European Union to be recognized in a safe way by using various identification media such as bank-id and mobile certificates.”

Do note that the e-identification service is not for private sector use, so it’s only for governmental authorities, agencies and institutions, courts of law and other judicial bodies.

How to configure suomi.fi e-identification for Auth0 and test it towards their test environment? Let’s see.

  1. Register for Auth0 tenant (https://auth0.com), Trial will work just fine for this test scenario
  2. Add suomi.fi as SAMLP Identity Provider at Connections –> Enterprise –>SAMLP Identity Provider

  3. Type in Connection name. It can be anything, but I suggest to keep it short and without special characters. I call it suomi-fi-test
  4. For Sign In URL, type in the POST signin URL endpoint of suomi.fi test environment:
  5. For X509 Signing Certificate upload the suomi.fi (which is IdP in this case) public key, so basically suomi.fi will sign the outgoing messages with their private key, and here you define the corresponding public key to verify the message signature.

    You can get the certificate from suomi.fi metadata URL at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml. Paste X509Certificate string into suomifitest.txt file, rename it into suomifitest.cer, and upload to Auth0.

  6. Sign Out URL, add the Single Log Out URL of suomi.fi:
  7. User Id Attribute you can decide what user data returned by suomi.fi is considered as the user identificator in Auth0, I’m using urn:oid:, which is the National Identification Number of the user. You can find the other fields at https://esuomi.fi/palveluntarjoajille/tunnistus/tekninen-aineisto/tunnistetusta-kayttajasta-valitettavat-attribuutit/.
  8. Enable Sign Request, and download the certificate, you will use that later.
  9. Sign Request Algorith, set to RSA-SHA256.
  10. Sign Request Digest Algorithm, set to SHA256.
  11. Protocol Binding, set to HTTP-POST.
  12. Request Template you can leave as-is.
  13. On the Mappings tab (at the top), I map user name details so user list in Auth0 is more convenient to manage:
       "name": "urn:oid:2.16.840.1.113730.3.1.241",
       "given_name": "urn:oid:",
       "family_name": "urn:oid:"

That was easy, right? Final step is to contact suomi.fi and let do some paperwork, most impotantly from a technical perspective is to send them description of your service, i.e., the SAML Metadata.

For that you will need to decide what authentication methods you want to support (bank, mobile, etc.), what user details you would like to get back from suomi.fi after authentication (e.g., National Id of the user, name, address). You will also need to include the public Auth0 signing certificate you downloaded earlier in step 8.

EntityID, SingleLogoutService, AssertionConsumerService, and other details you can get from Auth0 Setup Instructions page by clicking on the Pen button after creating the Enterprise Connection.


NOTE! Before sending the metadata to suomi.fi, you should validate it at https://www.samltool.com/validate_xml.php by pasting the metadata into the XML field, selecting Metadata for XSD.


After that you’re all set and can test the authentication by pressing the PLAY button next to the Enterprise Connection, and you should find yourself from the authentication method selection screen, and eventually back in Auth0.

April 26, 2018

SharePoint: Setting person field default values in “Column default value settings”


SharePoint doesn’t allow setting person field default values in “Column default value settings” of a list, in fact, it doesn’t even show the person type fields in the “Column default value settings” screen.


Using browser, you cannot do it, but modifying /yourlist/forms/client_LocationBasedDefaults.html using SharePoint Designer or programmatically makes it possible. Just put in the full user identity claim, below sample is from SharePoint Online.

<DefaultValue FieldName="MyPersonFieldName">i:0#.f|membership|firstname.lastname@mydomain.onmicrosoft.com</DefaultValue>

SharePoint: Multiple default values using “Column default value settings”


SharePoint doesn’t allow selecting multiple default values in “Column default value settings” of a list, even though the column in question is choice and allowing multiselect.


Using browser, you cannot do it, but modifying /yourlist/forms/client_LocationBasedDefaults.html using SharePoint Designer or programmatically makes it possible. Just use format ;#CHOICE1;#CHOICE2;#, e.g.,

<DefaultValue FieldName="MyMultiChoiceFieldName">;#Valintatalo;#Citymarket;#</DefaultValue>

SharePoint: Setting list field default and calculated values using PnP JS


How to set list field default and calculated values using PnP JavaScript?


For default values:

list.fields.getByTitle("ProjectName").update({ DefaultValue: "some default value"});

For calculated values:

list.fields.getByTitle("ProjectName").update({ DefaultValue: "=\";#choice a;#choice b;#\""});

For calculated values it looks a bit nasty on SharePoint Online modern libraries, but filtering seems to work, as well as modifying choice selection. It looks and works nicely on classic side, although default value selection remains on Choice radio button.


April 23, 2018

SharePoint: Yet another reason for ‘The issuer of the token is not a trusted issuer’


Was creating custom STS, and no matter what I did, I always got the very common ‘The issuer of the token is not a trusted issuer’ error after successfully authenticating and getting redirected back to SharePoint.

Full error:

Application error when access /sites/somesite/_layouts/15/Authenticate.aspx, Error=The issuer of the token is not a trusted issuer. 
  at Microsoft.SharePoint.IdentityModel.SPLocalIssuerNameRegistry.GetIssuerName(SecurityToken securityToken, String requestedIssuerName)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   
  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   
  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   
  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   
  at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)   
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Or one of the many solutions to this generic error was to redirect users to correct address in SharePoint after authentication. In my code, the scope.ReplyToAddress ended up being something like


which was obviously wrong, as replies need to go the /_trust/, so instead using


as reply address fixed the issue.

And, when we’re talking of SharePoint, it doesn’t automatically include the wreply parameter in authentication flow, so enable that in your Trusted Identity Token Issuer properties like this:

$ap = Get-SPTrustedIdentityTokenIssuer -Identity "STS-Dev"

So finally in your custom STS GetScope method, you can just do:

scope.ReplyToAddress = request.ReplyTo;

March 22, 2018

Adding divider when programmatically creating Office UI Fabric IContextualMenuItem[]


When declaratively creating Context menu items, you can add divider using

  <li class="ms-ContextualMenu-item ms-ContextualMenu-item--divider"></li>

How to add it when programmatically creating array of IContextualMenuItems?


Use itemType: ContextualMenuItemType.Divider, like this

const items: IContextualMenuItem[] = [];
items.push( {
    key: "divider1",
    itemType: ContextualMenuItemType.Divider
} );

February 14, 2018

Azure B2C: Cannot delete directory due to ProxyIdentityExperienceFramework


I wanted to delete my testing Azure B2C directory, and followed steps to remove it at here and here. However, attempting to delete the directory, indicated that there was some app registrations preventing the deletion.


Clicking on the Required Action, I could see the Native ProxyIdentityExperienceFramework still existed. WHen I went ahead to delete it, I found out that the Delete button was disabled.


This app was created as part of configuring Azure B2C to use custom policies, as described here. App wasn’t a “converged app”, so it wasn’t visible in the Microsoft Application Console in order to delete it, as some suggested. I had also emptied the application of any Redirect URIs, Owners, Required permissions. Still the Delete button remained disabled.


  1. Go to Azure B2C tenant
  2. Click Azure Active Directory on left menu
  3. Click App registrations
  4. Select All apps from filter drop-down
  5. Select the ProxyIdentityExperienceFramework app
  6. Select Manifest
  7. Change availableToOtherTenants to false
  8. Click Save
  9. Click Delete to delete the app