web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Integrate SAML Auth
Power Pages
Suggested Answer

Integrate SAML Auth

(2) ShareShare
ReportReport
Posted on by H V 1,510

Hello,

 

I want to integrate below authenticate method with PowerApps Portals.

https://developers.login.gov/

https://developers.login.gov/saml/

 

Any help would be appreciated.

Categories:
Power Apps portals
I have the same question (0)
  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    Hi @hardikv ,

    Please follow official docs from MS on how to integrate with SAML provider for portals - https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-saml2-provider. If you need additional information from the portal side like SAML metadata endpoint you can always use Azure AD B2C as a middle man between SAML and Portal. Also in the article that you provided, there is a mention that they recommend using OpenID Connect instead - see here how you can use it with portals - https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider

  • H V Profile Picture
    H V 1,510 on at

    Thanks for the reply @OOlashyn 

     

    Yes, you are right. They recommend OpenID connect. However Login.gov supports two ways of authenticating clients: private_key_jwt and PKCE.

     

    PowerApps Portals doesn't support these two auth flows. So I have to use SAML auth flow.

     

    Is there any descriptive doc or blog available for SAML integration? It would be very helpful.

     

     

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    You are right - didn't notice that they support only 2 ways for OpenID Connect. Regarding official SAML docs for the portal - see my previous answer, I specified it there. Regarding blogs - I didn't remember any specifically for SAML but will try to check and share if found any. 

  • H V Profile Picture
    H V 1,510 on at

    Hi @OOlashyn 

     

    I was trying to configure SAML 2.0 with https://developers.login.gov/saml/

    However, I don't know what will be the value of Authentication Type. From where I can get this value?

    Could you please help me?

     

    hardikv_0-1640766895198.png

     

     

  • OOlashyn Profile Picture
    OOlashyn 3,496 Most Valuable Professional on at

    @hardikv I think the Authentication type on the portal side is NameID in login.gov. You can try to generate a random v4 GUID and use it.

  • AGK Profile Picture
    AGK 4 on at

    Hi @hardikv were you able to make it work.

     

    Thanks

  • GraysonBishop2 Profile Picture
    GraysonBishop2 28 on at
    I did find this resource that includes step-by-step instructions and sample files for setting up Login.gov as an IDP for Power Pages using Azure B2C as a "middle man" service provider
     
    I'm currently trying to follow the instructions, but haven't gotten it working successfully. Did you get this working@hardikv?
  • Suggested answer
    Jakczxcv Profile Picture
    Jakczxcv 43 on at
    I have spent a significant amount of time trying to do this, and it never quite worked out with login.gov because of its unique requirements. If you get it to work, it will not be by a direct approach, unless something else changes.
     
    Here's the main impediment to the direct approach.  For login.gov, they use protocol-optional features that implement government requirements for the authentication process to share and verify these NIST IAL and AAL security level information, or MFA auth, or both. At any rate, login.gov requires more than the bare minimum. Nominally, login.gov and power pages both support SAML and OpenID connect, but each protocol has its own feature that can support these additional goals of login.gov and the government. Obviously a forum post is not going to represent the federal law and security standards you would need to know, and that is not the goal of this post, but I am just saying, there are various legal reasons that login.gov uses the protocol-optional features. As technologies, OIDC and SAML do not "require" that these are used, or even that a protocol implementation supports them, but the protocols are complex enough to support such IDPs and service providers who negotiate their own additional requirements. In the case of login.gov, whether you try to use OIDC or SAML, each one requires a service provider to use a different feature that power pages will not support.

    Login.gov documentation has a guide for each protocol that spells out the exact requirements, and when you look at those alongside microsoft power pages corresponding SAML or OIDC IDP setup FAQs, each will describe an unsupported protocol feature required by login.gov. At least, that's how it was the last time I checked.

    . . .
     
    NOW, that being said, there is more than one way to get anything done, and where there's a will, there's a way.  It is likely that there are other identity providers you might be able to try and use, and in some cases,  there is a possibility for them to act on your site's behalf, in terms of assuring that the security standards are being met, where another IDP that can check on the IAL/AAL information within its implementation, and daisy-chain the login.gov authentication information to your power pages site.  Maybe you could get it done with MS Entra, like with a B2C configuration, or something else entirely that your agency operates.  Or rather, since you are probably already at capacity doing your own job, hopefully there is somone else in your agency that works with such things and can help you.
     
    To reiterate, there may be a way that end users of your site will only need a login.gov account, while you might be integrating to a different carefully configured IDP.  That assumes a heck of a lot, but I have seen it happen, so maybe it's worth asking around in your situation.
     
    Sorry about the non-answer answer ("It's not going to work" / "Here's a very long story about something that might exist and might work"). I find there are a lot of those on these types of forums.
  • Jakczxcv Profile Picture
    Jakczxcv 43 on at
    I'm sorry I just noticed that I was answering the original question when the most recent reply was the reason the thread was bumped, and has another good follow up I wanted to add.
     
    I did not get a login.gov middle-man IDP working, either, but unfortunately, I was stopped at an unexplained bug or bug-like experience that could not be isolated and corrected. We had to change directions (not to go off-topic), and used a whole other IDP, and no login.gov (neither directly nor by intermediate IDP).

    I'm interested to know if you or anyone else had the same problem that we did with our login.gov + middle-man IDP integration.  Back when we were trying it, in tests where authentication completed normally, the redirect back to power pages ( "/signin-saml1" or "/signin-oidc1") would always be answered with a nonsensical "page not found" message.

    It really didn't suit the situation at all. One way to be sure the "page not found" message was nonsense was when we tested an intentional authentication failure. Those tests received a more appropriate authentication-related failure message, and of course there was no change to the power pages redirect URL. It couldn't have just been an error in the integration configuration. The page was already found before it was not found (and of course it's the exact URL power pages says to use).
     
    Again, this is only what happened when the middle-man + login.gov parts of authentication seemed to work correctly.  login.gov liked the authentication, and redirected to our middle-man IDP; Then the middle-man IDP redirects to the power pages template as described, and then power pages just says "Page not found" (?).  To prove out the quality of the forwarded authentication, debug info from the browser was turned into a 'curl' request. I was able to use the same information from the redirected request, and got tokens for myself when power pages would not request them. We never figured that one out.
     
     
  • rulesrchanged1 Profile Picture
    rulesrchanged1 on at
    To make login.gov work with Power Pages, there are two ways:
     
    a) Use SAML and get signed assertions and encrypted response turn off. 
    b) For using OIDC, you will need to use a provider in middle approach where pages integrates with something like Azure AD B2C and Azure AD B2C federates with Login.gov. Here is a good sample on how to integrate login.gov with B2C partner-integrations/samples/Login.gov/README.md at master · azure-ad-b2c/partner-integrations · GitHub

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 78 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 75

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans