microsoft azure ws-fedp login, and FISMA/FEDRAMP


The login button on the azure portal screen invokes oauth (and its openid connect profile) in order to land on the “old” management portal site:-

image

image

We see that this process uses an authorization server, with authorization grant endpoint, at https://login.microsoftonline.com/common/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3a%2f%2fmanage.windowsazure.com%2f&client_id=00000013-0000-0000-c000-000000000000&resource=https%3a%2f%2fmanagement.core.windows.net%2f&scope=user_impersonation+openid&nonce=172c6ab7-7231-4759-ad39-35d9650894c6&domain_hint=&site_id=500879&response_mode=query tales an id_token  parameter for response type.

image\

The server leverages user discovery

image

which generates the ws-fedp request (with its mix of proprietary and standard query string parameters).

As per the office 365 login experience, the site with web resources uses microsoftonline AS (that invokes ws-fedp websso on our IDP).

 

We can contrast this site login experience to the api management “manager site” (having just logged into the azure management portal, note).

 

image

here we see that the site uses an authorization server at  https://login.windows.net/common/oauth2/authorize?client_id=aad2a9dc-2d78-4a34-a6ea-8b535b177cd9&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dAQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAAZIdGDtugkSxUpRQIN9TaQAAAAACAAAAAAAQZgAAAAEAACAAAAC6kFh2Ew2gnA_lt7qgl9cQgkatiwwZLr3h4jftLw8WPQAAAAAOgAAAAAIAACAAAADmfY1WdHg4ve5Q4UJR2kB9eBK9hsEwPmJqG7MLskx-bkAAAAAWdW7-gkC9APajNuDG5yD0RTf14rcJ2M1ajbPkrTs0quWG_heb0jKaGyvp6vD_c2QJvHC-BZ_owkNcS1NSQNgmQAAAALe55wqpF8jbWMpJBAmnUozok7XZ_1Ftm-eSPzEKROF_UgDTt4lViOKkWLuwRa7l4x_GzvuON3jmRCj8t4U92gg&nonce=635594561610091501.NzA5MTQxZmEtM2ZjNC00MThmLWE2YzItZDRiMjU3YWY0NzQwZmZmZjg4NzctNjQ2NS00MWFiLTlmOTMtY2MyYzZjMjZhOWQy

image

by means unknown, this server knows it has a session (associated with microsoftonline.com’s AS, presumably)

If we delete cookies in the browser, we see microsoft.net AS that invoke’s microsoftonline.com ws-fedp responder (note well, this is not the AS used earlier), which invokes our IDP in a IDP proxying model.

image

image

This duly lands the user (who now visits the IDP) on the api management site:

image

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in Azure AD. Bookmark the permalink.