You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update to sequence of nonce request in federated user case
Azure AD nonce is requested prior to getting SAML token from ADFS (or equivalent federated IDP) in case of federated user, however it's important that nonce is requested prior to sending the SAML token to Azure AD. This update changes the statement about nonce request in federated user case to highlight the fact that nonce is requested prior to sending the SAML token to Azure AD. The update is made to alleviate concern about documentation not corresponding to sequence of requests on the wire.
Copy file name to clipboardExpand all lines: articles/active-directory/devices/concept-primary-refresh-token.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -159,7 +159,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
159
159
| :---: | --- |
160
160
| A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
161
161
| B | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
162
-
| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. |
162
+
| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. |
163
163
| D | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and a broker scope, signs the request with the Device key (dkpriv) and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
164
164
| E | Azure AD validates the user credentials, the nonce, and device signature, verifies that the device is valid in the tenant and issues the encrypted PRT. Along with the PRT, Azure AD also issues a symmetric key, called the Session key encrypted by Azure AD using the Transport key (tkpub). In addition, the Session key is also embedded in the PRT. This Session key acts as the Proof-of-possession (PoP) key for subsequent requests with the PRT. |
165
165
| F | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP request the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |
@@ -173,7 +173,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
173
173
| A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
174
174
| B | If the user has previously logged on to the user, Windows initiates cached sign in and validates credentials to log the user in. Every 4 hours, the CloudAP plugin initiates PRT renewal asynchronously. |
175
175
| C | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
176
-
| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
176
+
| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
177
177
| E | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and the existing PRT, signs the request with the Session key and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
178
178
| F | Azure AD validates the Session key signature by comparing it against the Session key embedded in the PRT, validates the nonce and verifies that the device is valid in the tenant and issues a new PRT. As seen before, the PRT is again accompanied with the Session key encrypted by Transport key (tkpub). |
179
179
| G | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP requests the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |
0 commit comments