Reputation: 417
Multi-Tenant Azure AD authentication with IdentityServer4
I've configured Identity Server 4 and using Azure AD Authentication. Everything works fine if I use a tenant specific Authority URL in identity server. With that, only a user from that tenant can login. I would like to allow multiple domains to login and would like to validate the issuer in the backend.
To support that I need to use common login endpoint for Azure AD and after I login I get the following error when it redirects to signin-aad endpoint of Identity Server. What configuration should I do so that I can validate the issuer manually?
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/94b73406-72db-4abb-a142-adfdfdfdfdbc/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'. Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
Upvotes: 0
Views: 1411
Answers (1)
Reputation: 4812
If your domains can grow dynamically at runtime then set ValidateIssuer to false in the TokenValidationParameters. If you have predetermined set of domains then add them all to ValidIssuers.
Upvotes: 2
Related Questions
- Microsoft Identity AzureAD ASP.NET Core for Two Tenants only
- Azure Identity: Custom token validation to validate issuers in a multi tenant app
- Azure Authentication with two tenants
- Azure Multi-tenant application
- Azure AD Multi-tenant Applications - How to implement Token Validation?
- Multitenant token Validation using OpenidConnect
- Azure Active Directory - SSO w/ Multi-Tenant with non AAD IdP
- How to configure on-behalf-of authentication in multi-tenant environment?
- How do I authenticate via Azure Active Directory with multi-tenant ASP.NET applications?
- Multi-tenant login form that validates on Azure AD synchronized from local AD