Azure AD Password+Security Key auth not working with our imp

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

Azure AD Password+Security Key auth not working with our imp

Postby schikura » Fri Jun 25, 2021 11:44 am

Hi all,

We have configured SAML Azure AD with password + Security key authentication.

If we use cefclient.exe (one of the default sample project) the security key is getting prompted correctly and authentication succeeds.

But, with our implementation of CEF the browser is stuck at
"Verify your identity"/"Use a security key"
screen itself and does not proceed further.
SecurityKeyNotWorking.jpg
SecurityKeyNotWorking.jpg (65.56 KiB) Viewed 5140 times


With cefclient.exe after the above screen, it correctly proceeds to
"Sign in with a Security key"
page and Windows Security popup gets displayed correctly asking the PIN of the security key.
cefclient_SecurityKeyWorking.jpg
cefclient_SecurityKeyWorking.jpg (145.67 KiB) Viewed 5140 times


I am attaching the CEF logs in both cases and also the screenshots as well.
WorkingAndNonWorkingLogs.zip
(747.23 KiB) Downloaded 283 times


With our same CEF implementation Okta password + Security key authentication works fine. But not able to find why it is not working with Azure AD.

Any pointers or help would be appreciated?

Thanks in Advance.
schikura
Techie
 
Posts: 11
Joined: Thu Jun 24, 2021 12:29 pm

Re: Azure AD Password+Security Key auth not working with our

Postby magreenblatt » Fri Jun 25, 2021 12:56 pm

Are you using the same CEF version? How does your application differ from cefclient?
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Azure AD Password+Security Key auth not working with our

Postby schikura » Sat Jun 26, 2021 12:16 pm

Thanks magreenblatt for the response.

Our application is using cef version: 87.1.14. And the cefclient.exe I used for testing was built with 80.1.14

Our application uses cef as an embedded browser launched only for authentication which gets closed automatically once it gets required auth cookies. There is no address bar,,etc for the user to control.

We started developing our embedded browser with cefsimple and expanded it for some cases like to handle cookies, certificate errors,,etc
schikura
Techie
 
Posts: 11
Joined: Thu Jun 24, 2021 12:29 pm

Re: Azure AD Password+Security Key auth not working with our

Postby magreenblatt » Sat Jun 26, 2021 2:24 pm

You need to test with the same CEF version. Preferably also a supported version.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Azure AD Password+Security Key auth not working with our

Postby schikura » Mon Jun 28, 2021 6:41 am

Turns out, this is a user agent issue. We were sending the IE user agent string Trident as part of our CEF embedded browser.
Looks like Azure AD does not like it and was not proceeding further. Once I removed it, it has resolved the issue on Windows.

But, still facing issues on Mac.
When I try with Chrome browser, I see that the PIN request is coming through a popup window similar to the one discussed in https://magpcss.org/ceforum/viewtopic.php?f=6&t=16518

Does the latest CEF support that popup or is there anyway we can make it work?

Thanks and Regards,
schikura
Techie
 
Posts: 11
Joined: Thu Jun 24, 2021 12:29 pm

Re: Azure AD Password+Security Key auth not working with our

Postby magreenblatt » Mon Jun 28, 2021 11:21 am

The Chrome runtime should support this dialog.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Azure AD Password+Security Key auth not working with our

Postby schikura » Wed Jul 14, 2021 9:32 am

Hi magreenblatt,

Thank you very much for the pointer.
I downloaded the latest CEF and built the sample on MacOS.
Running the sample without the --enable-chrome-runtime option had the same issue(no security key PIN prompt)
Running the sample with the --enable-chrome-runtime option is working but it is basically launching a full fledged chrome kind of browser with address bar navigation,,etc
cefSimple_cefruntime.png
cefSimple_cefruntime.png (167.04 KiB) Viewed 5000 times


I am suspecting if we enable this command line argument --enable-chrome-runtime with our CEF browser, it will also be shown as a full fledged browser. But, we do not want that. Our cef browser is only for authentication purposes after which we automatically close it and the user does not have any control on it.

How can we achieve that with Chrome runtime?

Thanks in Advance,
schikura
Techie
 
Posts: 11
Joined: Thu Jun 24, 2021 12:29 pm

Re: Azure AD Password+Security Key auth not working with our

Postby magreenblatt » Wed Jul 14, 2021 10:07 am

Add the --use-views command-line flag. It shows how to use the Chrome runtime with the Views framework.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Azure AD Password+Security Key auth not working with our

Postby schikura » Mon Jul 26, 2021 11:01 pm

Thanks @magreenblatt for all the guidance in solving this issue.
Verified using the latest 91 version CEF that, with Chrome runtime and views the PIN prompt is now coming correctly on both macOS & Windows 8.1.
schikura
Techie
 
Posts: 11
Joined: Thu Jun 24, 2021 12:29 pm


Return to Support Forum

Who is online

Users browsing this forum: No registered users and 36 guests