I am trying to set up an SSO sign in to a ASP.NET MVC 5 application (.NET 4.8) with OpenID Connect. I'm using Azure Active Directory. The application is a brand new project made for testing purposes, and the only change I introduced to scaffolded code is in Startup.Auth.cs:
// automatically added usings:
using Microsoft.IdentityModel.Tokens;
using Microsoft.Owin.Security.OpenIdConnect;
// in public void ConfigureAuth(IAppBuilder app) method:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "{ClientId of AAD App}",
ClientSecret = "{Secret generated for the AAD app}",
CallbackPath = new PathString("/signin-microsoft"),
MetadataAddress = "https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = "https://login.microsoftonline.com/{Directory (tenant) ID}/v2.0"
}
});
If I set ValidateIssuer to false, everything works fine - I manage to sign into the application with my organization email. But as soon as I set it to true, I start getting the following error:
IDX10205: Issuer validation failed. Issuer: '[PII is hidden]'. Did not match: validationParameters.ValidIssuer: '[PII is hidden]' or validationParameters.ValidIssuers: '[PII is hidden]'.
I tried changing the ValidIssuer to all options mentioned in this SO thread, but nothing works. The current ValidIssuer is the URL given in the MetadataAddress above, with concrete Directory (tenant) ID of the registered app.
As far as the registered AAD app goes, I've set both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) to true and Supported account types to Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Any idea what I'm not getting here?
It was a bad tenant ID after all.
I realized it by setting IdentityModelEventSource.ShowPII to true in Startup.Auth.cs, as seen in this answer: https://stackoverflow.com/a/55027625/2975357