Error while Single Sign On(SSO) via Azure AD Authentication - AADSTS50059
Question
Error AADSTS50059: No tenant identifying information found in either the request or implied by any provided credentials.
We have two subdomains(sd1.domain.com and sd2.domain.com) registered to two different AAD apps(client id: sd1 and client id: sd2) under the same tenant. We have configured SSO for the angular apps hosted on both the subdomains.
Scenario: When I login to both the subdomains and then logout from one of the subdomain(lets say sd1) and try to refresh the page in the other subdomain(sd2),the authentication is failing with the above specified error.
Further Understanding
Q1 As we have both the AAD's under the same tenant. Is somehow the cookie generated by one AAD affecting the other AAD. If so what is being overwritten / invalidated / deleted.
I have read that that during SSO's first login an authentication cookie is given out by the authentication server and on top of that every site the SSO works on the authentication is done with the help of this cookie and a corresponding site cookie is also generated. Reference
Q2 What and where is the authentication cookie during the SSO mechanism with Azure AD? I can look at two cookies one stored in local storage()
and another
r
Q3
I get it that SSO is used to login to various apps at the same time and a single logout would log us out of all apps but consider I have office and devops at two different subdomains. It does not mean that if I logout of office that I get logged out of devops as well right..
How can we achieve this using the configuration of two AAD's under the same tenant?
1 answers
solution1
1 2019-11-19 17:28:34
Q1 As we have both the AAD's under the same tenant. Is somehow the cookie generated by one AAD affecting the other AAD. If so what is being overwritten / invalidated / deleted.
When you sign out from the first app, the SSO cookie is removed from AAD. This means the Azure AD session is no longer active.
Q2 What and where is the authentication cookie during the SSO mechanism with Azure AD? I can look at two cookies one stored in local storage()
You need to look at cookies when you are in the Azure AD domain. That's your app's local storage and cookies, not Azure AD's.
Q3 I get it that SSO is used to login to various apps at the same time and a single logout would log us out of all apps but consider I have office and devops at two different subdomains. It does not mean that if I logout of office that I get logged out of devops as well right..
Yeah well, that's how single sign-on works. If you tell Azure AD to sign you out, it'll kill your session, which will affect all apps that depend on that session being active.
How can we achieve this using the configuration of two AAD's under the same tenant?
Firstly, you have two apps in your Azure AD tenant, not "two AADs".
To keep your session active in an application even if the AAD session is removed, your app needs to keep its own session and not depend on AAD after authentication. So after authentication, your application back-end could issue a cookie or token and your front-end should then use that with calls to the back-end. If you need to get Azure AD access tokens as the user, you can use refresh tokens to get them from a back-end. But for front-end apps, there is really no way to get access tokens on behalf of a user without an active AAD session. And you can't get tokens "as the app" from a front-end app, since there is no way to authenticate the app.
So it depends. In your scenario, you may be able to keep a session within your app if you want to disconnect it from Azure AD.
But usually SSO is expected to work the way it did. The point is that it is easy to log out from all your services.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.