looking for example for OIDC with spring

[Tushar surti]

does any one has successfully implemented OIDC with spring security using PAC4J. If yes, could you please send me useful artifacts for the same. I'm planing to have google and AzureAD integration for this. 

[Jérôme LELEU]

Hi,

Take a look at the demo: https://github.com/pac4j/spring-security-pac4j-demo/blob/master/src/main/resources/securityContext.xml#L177

Use the GoogleOidcClient for Google and the AzureAdClient for AureAD.

Thanks.

Best regards,

Jérôme

2016-08-29 17:46 GMT+02:00 Tushar surti <tusha...@gmail.com>:

does any one has successfully implemented OIDC with spring security using PAC4J. If yes, could you please send me useful artifacts for the same. I'm planing to have google and AzureAD integration for this. 

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tushar surti]

Hi, I could not see AzureADClient in the xml. are we missing  something? 

[Tushar surti]

Hi,

I get below error on redirect.

On Monday, 29 August 2016 11:46:59 UTC-4, Tushar surti wrote:

[Jérôme LELEU]

Hi,

No, you are not missing anything, the demo has just a Google OpenID Connect example, but this can easily be replaced by an AzureAD one.

Taken from a manual test (https://github.com/pac4j/pac4j/blob/pac4j-1.9.1/pac4j-oidc/src/test/java/org/pac4j/oidc/run/RunAzureAdClient.java#L39):

final AzureAdClient client = new AzureAdClient();

client.setClientID("788339d7-1c44-4732-97c9-134cb201f01f");

client.setSecret("we/31zi+JYa7zOugO4TbSw0hzn+hv2wmENO9AS3T84s=");

client.setDiscoveryURI("https://login.microsoftonline.com/38c46e5a-21f0-46e5-940d-3ca06fd1a330/.well-known/openid-configuration");

Thanks.

Best regards,

Jérôme

--

[Jérôme LELEU]

Hi,

Reading the error message: the redirectURI does not match the ones authorized for the OAuth client. Your configuration is not correct on Google side.

In the Google console, for your project, in the "Credentials" menu, click on the appropriate "OAuth 2.0 client IDs" and define "http://localhost:19999/callback?client_name=Google2Client" in "Authorized redirect URIs".

Thanks.

Best regards,

Jérôme

--

[Tushar surti]

Hi Jerome, 

Thanks for your help. I've one more question. 

I want to configure logout for my app with PAC4J.

Below is my config.

<bean id="oidcSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">
   <property name="config" ref="config" />
   <property name="clients" value="GoogleOidcClient" />
</bean>
<security:http create-session="always" pattern="/**" entry-point-ref="pac4jEntryPoint">
   <security:custom-filter position="BASIC_AUTH_FILTER" ref="oidcSecurityFilter" />
   <security:csrf disabled="true" />
   <security:anonymous enabled="false" />
   <security:logout logout-success-url="/" />
</security:http>

Now,when I do logout from my app, it falls back to current page only. should it redirect to google login page or not?

what will be the ideal work flow for OIDC logout?

Thanks,

Tushar

--

Thanks,

Tushar Surti

M: +1 201 450 7356

[Jérôme LELEU]

Hi,

Using <security:logout logout-success-url="/" /> performs a local logout and redirects the user to / (defined url).

You will be logged out from the webapp but still authenticated at the identity provider level (Google here).

Performing a centralized logout is not handled by pac4j yet. Planned for version 2.0 (next year).

If you need that centralized / single logout, you must handle that on your own, based on Google capabilities implemented from the OpenID Connect protocol.

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

Thank for your help. I was able to use google for OIDC and now doing config for Azure AD.

I'm facing other issue right now with Azure OIDC.

problem 1) Azure AD (https://apps.dev.microsoft.com) is not allowing to give URL with query string (like http://localhost:19999/callback?client_name=AzureAdClient) ....

What is the solution for this? I've added below property in callbackfilter (id="callbackFilter")

<property name="defaultUrl" value="http://localhost:19999/callback?client_name=AzureAdClient" />

Below is my whole config file.

<?xml version="1.0" encoding="UTF-8"?>
  <beans xmlns="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:mvc="http://www.springframework.org/schema/mvc"
         xmlns:context="http://www.springframework.org/schema/context"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-4.1.xsd
          http://www.springframework.org/schema/mvc
          http://www.springframework.org/schema/mvc/spring-mvc.xsd
          http://www.springframework.org/schema/context
          http://www.springframework.org/schema/context/spring-context.xsd">

  <context:annotation-config />

  <!--to enable spring security debug feature -->
  <security:debug/>

  <bean id="requestInfoProvider" scope="request" class="com.gs.wmf.lifeboat.web.RequestInfoProviderImpl"
        init-method="init" />

  <mvc:resources mapping="/auth/**" location="classpath:staticweb/auth/"/>
  <security:http pattern="/auth/**" security="none" />
  <security:http pattern="/font/**" security="none" />
  <security:http pattern="/js/**" security="none" />
  <security:http pattern="/css/**" security="none" />
  <security:http pattern="/img/**" security="none" />
  <security:http pattern="/pages/**" security="none" />

  <security:authentication-manager id="authenticationManager"/>

  <bean id="pac4jEntryPoint" class="org.pac4j.springframework.security.web.Pac4jEntryPoint" />

  <bean id="callbackFilter" class="org.pac4j.springframework.security.web.CallbackFilter">

    <property name="config" ref="config" />

    <property name="multiProfile" value="false" />
    <property name="defaultUrl" value="http://localhost:19999/callback?client_name=AzureAdClient" />
  </bean>
  <security:http create-session="always" pattern="/callback*" entry-point-ref="pac4jEntryPoint">

    <security:csrf disabled="true"/>

    <security:custom-filter position="BASIC_AUTH_FILTER" ref="callbackFilter" />
  </security:http>

  <bean id="oidcSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">
     <property name="config" ref="config" />

     <property name="clients" value="AzureAdClient" />

  </bean>
  <security:http create-session="always" pattern="/**" entry-point-ref="pac4jEntryPoint">
     <security:custom-filter position="BASIC_AUTH_FILTER" ref="oidcSecurityFilter" />
     <security:csrf disabled="true" />
     <security:anonymous enabled="false" />
     <security:logout logout-success-url="/" />
  </security:http>

    <!-- security configuration -->
    <bean id="roleAdminAuthGenerator" class="com.gs.wmf.lifeboat.pac4j.RoleAdminAuthGenerator" />
    <bean id="azureOidcClient" class="org.pac4j.oidc.client.AzureAdClient">
      <property name="clientID" value="d576319a-75de-490f-bcce-e2bfc4a709e3" />
      <property name="secret" value="EMgSeMKyyfxVH6eFSw7njEj" />
      <property name="authorizationGenerator" ref="roleAdminAuthGenerator" />
      <property name="discoveryURI" value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&amp;scope=openid+profile&amp;response_type=id_token" />
    </bean>

    <bean id="clients" class="org.pac4j.core.client.Clients">
      <property name="callbackUrl" value="https://localhost:19999/callback" />
      <property name="clients">
        <list>
          <ref bean="azureOidcClient" />
        </list>
      </property>
    </bean>

    <bean id="config" class="org.pac4j.core.config.Config">
      <property name="clients" ref="clients" />
      <property name="authorizers">
        <map>
          <entry key="admin">
            <bean class="org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer">
              <constructor-arg name="roles" value="ROLE_USER" />
            </bean>
          </entry>
          <entry key="custom">
            <bean class="com.gs.wmf.lifeboat.pac4j.CustomAuthorizer" />
          </entry>
        </map>
      </property>
      <property name="matchers">
        <map>
          <entry key="excludedPath">
            <bean class="org.pac4j.core.matching.ExcludedPathMatcher">
              <constructor-arg name="excludePath" value="^/facebook/notprotected\.jsp$" />
            </bean>
          </entry>
        </map>
      </property>
    </bean>

  </beans>

problem 2) with above configuration , I'm getting JSON parsing errors.

call stack trace is given below. Could you please help me out with this problem. What is wrong in my code/config.

2016-09-01 00:42:13.517 EDT [qtp566710404-51] WARN  o.e.jetty.servlet.ServletHandler [//] - /
org.pac4j.core.exception.TechnicalException: com.nimbusds.oauth2.sdk.ParseException: Invalid JSON: Unexpected token <!DOCTYPE html>
<html dir="ltr">
<head>
    <title>Sign in to your account</title>
    <meta name="PageSrc" content="_Login" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <meta name="PageID" content="SignIn" />
    <meta name="SiteID" content="" />
    <meta name="ReqLC" content="1033" />
    <meta name="LocLC" content="en-US" />
    <meta name="mswebdialog-newwindowurl" content="*" />

    <link href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/proxy.min.css" rel="stylesheet" />


        <link rel="shortcut icon" href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/favicon_a.ico" />
    <script type="text/javascript">//<![CDATA[
$Config={"cobranding":{"base":"app","label":"Work or school, or personal Microsoft account","labelTenant":"Sign in to SNCR-ORBIT","active":"app","initial":"app","app":{"Illustration":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png","BannerLogo":"","LogoText":"SNCR-ORBIT","BackroundColor":"#0072C6","BoilerPlateText":""},"tenant":{}},"tiles":{"aadUsers":[],"msaUsers":[],"users":[],"otherUser":{"name":"Use another account","login":"","imageAAD":"use_another_account.png","imageMSA":"use_another_account.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"},"splitterTilesUsers":[{"id":"aad","name":"Work or school account","login":"Created by your IT department","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/work_account.png"},{"id":"msa","name":"Personal account","login":"Created by you","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/personal_account.png"}]},"constants":{"dbgMessages":[],"MEMBER_NAME":"","FEDERATION_QUERY_PARAMETERS":"?client-request-id=dd5fe9fa-7091-4e70-b74e-b8cd028fa967\u0026username=\u0026wa=wsignin1.0\u0026wtrealm=urn%3afederation%3aMicrosoftOnline\u0026wctx=estsredirect%3d2%26estsrequest%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","CONTEXT":"rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","BASE_URL":"/common/reprocess?","LATENCY_THRESHOLD":2000,"CDN_IMAGE_PATH":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/","IS_USE_OTHER_ACCOUNT_VISIBLE":true,"MAX_USER_TILES":5,"PARTNER_NAME":"Sign in with your work or school account","METRICS_MODE":1,"TokenizedStringMsgs":{"GENERIC_ERROR":"\u003cH1\u003eSorry, but we\u0027re having trouble signing you in\u003c/H1\u003e\u003cp\u003ePlease try again in a few minutes. If this doesn\u0027t work, you might want to contact your admin and report the following error: #~#ErrorCode#~#.\u003c/p\u003e","UPN_DISAMBIGUATE_MESSAGE":"It looks like {0} is used with more than one account. Which account do you want to use?"},"REALM_RESOLVER_URL":"/common/userrealm/","FORCED_SIGN_IN":false,"MSA_AUTH_URL":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026scope=openid+profile\u0026response_type=id_token\u0026display=touch\u0026uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026msproxy=1\u0026issuer=mso\u0026ui_locales=en-US","isCxhRequest":false,"isAdalRequest":false,"IS_NAME_COEXISTENCE_ACCOUNT":false,"adalUxOverride":false,"cancelRedirectUrl":"https://localhost:19999/callback?error=access_denied\u0026error_subcode=cancel","IS_MSA_FED_SUPPORTED":false,"IS_MSA_PHONE_USERNAME_SUPPORTED":true,"IS_MSA_REDIR_SUPPORTED":false,"MSA_DOMAIN":"live.com","PROMPT":"","USERNAME_HINT_TEXT":"Email or phone","IS_LOGOUT_REQUEST":false,"SHOULD_HIDE_SIGNUP":false,"USE_DARK_TILE_LOGO":false,"HAS_ERROR":false,"IS_MOBILE":false,"mobileWidthThreshold":600,"SIGNOUTFORGET_URL_TEMPLATE":"/uxlogout?sessionId={0}\u0026shouldForgetUser={1}","IS_HOLOGRAPHIC":false,"savedTiles":{"otherJSON":{"name":"Use another account","login":"","imageAAD":"other_glyph.png","imageMSA":"other_glyph.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"}},"Use_Client_Check_Msa_Flag":true,"isDebugMode":false,"request":{"uaid":"dd5fe9fa70914e70b74eb8cd028fa967","issuerIdentifier":"mso","isProxyRequest":true,"isMsaSupported":true},"Locale":"en-US","responseMode":"NotSpecified","useFormPostResponseMode":true,"appRedirectUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US","msaSignupUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US\u0026amp;signup=1\u0026amp;lw=1\u0026amp;fl=easi2","IsB2CScenario":false,"showTilesOnPageLoad":true,"isDesktopSsoEnabled":false,"OnPremPasswordValidationConfig":{"IsPollingEnabled":false,"IsPollingRequired":false,"PollUrl":"/common/onpremvalidation/Poll","MaxPolls":20,"PollingInterval":500,"Timeout":15000,"FlowToken":"AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA"},"windowsAuthenticationRequestTimeoutInMs":0},"scid":1013,"hpgact":1800,"hpgid":1000,"pgid":"SignIn","apiCanary":"AQABAAAAAADRNYRQ3dhRSrm-4K-adpCJ693fJHJVb6GCUZW2LtAowaKQ4C7zkN2kpUENr6Y0XgDIGcn2QF9NTGgpblAqrlB-vr6Hopf6-bBQQPNfwGZmOrj9bu-PafczdtFKeqkY92LAyJkq5wesw2WtJ6Wgana9yp1kH_6TA-_qP4n0zlRcwOGDIQXvzwyLGi0gT-5gJRyuNOgFv_0uGnnRO6EogkZZTTsQP1xE65pUDwBu2CEg4iAA","canary":"/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1","correlationId":"dd5fe9fa-7091-4e70-b74e-b8cd028fa967","locale":{"lc":"en-US","isRtl":false,"lcid":1033},"strings":{"msa":{"label":"(Microsoft account)","account":{"imgalttext":"Microsoft account symbol","tilealttext":"Microsoft account for {0}"},"redirect":"We‘re taking you to the Microsoft account sign-in page."},"aad":{"account":{"imgalttext":"Work or school account symbol","tilealttext":"Work or school account for {0}"},"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"cloudfed":{"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"otheraccounttext":"Use another account","clickformore":"Click for more actions","connectedtowindows":"Connected to Windows","signedin":"Signed in","clicktosignin":"","signingout":"Signing out...","accountimagealttext":"User account image","header":{"text":{"username":"Sign in with your work account","password":"Enter your password","privacy":"Privacy statement"}},"disambiguation":{"description":"It looks like {0} is used with more than one account. Which account do you want to use?","timeout":"We\u0027re having trouble locating your account. Which type of account do you want to use?"},"fido20":{"getassertionuserprompt":"Use your PIN or Windows Hello to prove you own {0}"},"errors":{"30136":"Type the email address of the account you want to sign in with.","30064":{"title":"This doesn\u0027t look like a valid user ID","description":"Your user ID should look like an email address, for example som...@contoso.com or som...@contoso.onmicrosoft.com."},"30008":"Sign in to {0}","30067":"\u003cH1\u003eWe don\u0027t recognize this user ID or password\u003c/H1\u003e\u003cp\u003eBe sure to type the password for your work or school account.\u003c/p\u003e","30068":{"title":"\u003cH1\u003e{0} isn\u0027t in our system\u003c/H1\u003e\u003cp\u003eMake sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com\u003c/p\u003e","description":"Make sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com"},"30111":"Please enter your password.","30127":"To sign in, start by entering a user ID.","30140":"We\u0027re having trouble locating your account. Which type of account do you want to use?","30145":"Check the email address you entered. You may have mistyped it.","30146":{"title":"We couldn\u0027t find an account with that email address.","description":"Enter a different email address or \u003ca id=\u0022user-not-found-link\u0022 href=\u0022#\u0022\u003eget a new Microsoft account\u003c/a\u003e."},"30168":{"title":"We don\u0027t recognize this domain name","description":"Make sure you typed your organization\u0027s domain name correctly. It usually looks like @example.com or @example.onmicrosoft.com."},"30173":"Which type of account do you want to sign in with?","30200":"You may still be signed in to some applications. Close your browser to finish signing out.","catchall":"We didn\u0027t receive a response. Please try again."}},"enums":{"ClientMetricsModes":{"None":0,"SubmitOnPost":1,"SubmitOnRedirect":2,"InstrumentPlt":4},"NameSpaceType":{"None":0,"Managed":1,"Federated":2},"ErrorCodes":{"None":0,"ForceSignIn":2147749900,"NotAuthorized":2147762210,"SltRedemptionFailed":2147771649}},"urls":{"disambighelpurl":"https://go.microsoft.com/fwlink/p/?LinkID=733247","msa":{"meurl":"https://login.live.com/Me.srf?wa=wsignin1.0\u0026idpflag=direct\u0026wreply=","oauthauthorizeurl":"https://login.live.com/oauth20_authorize.srf","signouturl":"https://login.live.com/login.srf?wa=wsignout1.0\u0026wreply=","passwordreseturl":"https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","manageaccounturl":"https://account.microsoft.com","singleusecode":"http://windows.microsoft.com/en-US/windows-live/sign-in-single-use-code"},"style":{"loginhover":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/login_hover.min.css"}},"browser":{"ltr":1,"_Other":1,"Full":1,"RE_Other":1,"b":{"name":"Other","major":-1,"minor":-1.0},"os":{"name":"Other","version":""},"V":-1},"watson":{"enabled":true,"bundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watson.min.js","sbundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watsonsupport.min.js","resetErrorPeriod":5,"maxCorsScriptError":2,"maxErrorsPerPage":10},"serverDetails":{"slc":"ProXXXXnA","dc":"BL2","ri":"ESTXXXX_171","ver":{"v":[2,1,4653,2]},"rt":"2016-09-01T04:42:11"}};
//]]></script>

    
    <script type="text/javascript">//<![CDATA[
!function(){function r(r,o,a){function i(){var r=!!u.method,e=r?u.method:a[2],i=t.$WebWatson;try{e.apply(o,n(a,!r))}catch(l){return void(i&&i.submitFromException&&i.submitFromException(l))}}var u=e.r&&e.r[r];return o=o?o:this,u&&(u.skipTimeout?i():t.setTimeout(i,0)),u}function n(r,n){return Array.prototype.slice.call(r,n?3:2)}var t=window;t.$Do||(t.$Do={q:[],r:[],removeItems:[],lock:0});var e=t.$Do;e.when=function(n,t){r(n,t,arguments)||e.q.push({id:n,c:t,a:arguments})},e.register=function(n,t,o){if(!e.r[n]){e.r[n]={method:t,skipTimeout:o},e.lock++;try{for(var a=0;a<e.q.length;a++){var i=e.q[a];i.id==n&&r(n,i.c,0,i.a)&&e.removeItems.push(i)}}catch(u){throw u}finally{if(e.lock--,0===e.lock){for(var l=0;l<e.removeItems.length;l++)e.q.remove(e.removeItems[l]);e.removeItems=[]}}}},e.unregister=function(r){e.r[r]&&delete e.r[r]}}(),function(){function r(r,n,t){var e=d.createElement("script");e.id=n,e.type="text/javascript",e.setAttribute("src",r),e.defer=!1,e.async=!1,e.onload=t,e.onerror=o,e.onreadystatechange=function(){"loaded"===e.readyState&&t()};var a=d.getElementsByTagName("head")[0];a.appendChild(e)}function n(){var n=v.bundle;v.bundle=null,delete v.bundle,r(n,"WebWatson_DemandLoaded",e)}function t(){g||(c.jQuery?n():r(v.sbundle,"WebWatson_DemandSupport",n),v.sbundle&&(v.sbundle=null,delete v.sbundle),g=!0)}function e(){if(c.$WebWatson){if(c.$WebWatson.isProxy)return void o();for(;m.length>0;){var r=m.shift();r&&c.$WebWatson[r.cmdName].apply(c.$WebWatson,r.args)}}}function o(){var r=c.$WebWatson?c.$WebWatson.isProxy:!0;a(),v.loadErrorUrl&&r&&window.location.assign(v.loadErrorUrl)}function a(){m=[],c.$WebWatson=null}function i(r){return function(){var n=arguments;m.push({cmdName:r,args:n}),t()}}function u(){var r=["foundException","resetException","submit","submitFromException","showError"],n=this;n.isProxy=!0;for(var t=r.length,e=0;t>e;e++){var o=r[e];o&&(n[o]=i(o))}}function l(r,n,t,e,o,a,i,u,l){a||(a=s(i?i+2:2)),b.submit(r,n,t,e,o,a,i,u,l)}function s(r){var n=[],t=arguments.callee;try{for(;r>0;)t=t?t.caller:t,r--;for(var e=0;t&&h>e;){var o="InvalidMethod()";try{o=t.toString()}catch(a){}var i=[],u=t.args||t.arguments;if(u)for(var l=0;l<u.length;l++)i[l]=u[l];n.push({signature:o,args:i,toString:function(){return this.signature}}),t=t.caller,e++}}catch(a){}return n}var c=window,d=c.document,f=c.$Config||{},v=f.watson;if(!c.$WebWatson&&v&&v.enabled){var m=[],g=!1,h=10,b=c.$WebWatson=new u;b.CB={},b._orgErrorHandler=c.onerror,c.onerror=l,b.errorHooked=!0}}(),function(){function r(r,n){for(var t=n.split("."),e=t.length,o=0;e>o&&null!==r&&void 0!==r;)r=r[t[o++]];return r}function n(n){var t=null;return null===l&&(l=r(a,"Constants")),null!==l&&n&&(t=r(l,n)),null===t||void 0===t?"":t.toString()}function t(t){var e=null;return null===i&&(i=r(a,"$Config.strings")),null!==i&&t&&(e=r(i,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}function e(r,n){var e=null;return r&&n&&n[r]&&(e=t("errors."+n[r])),e||(e=t("errors."+r)),e||(e=t("errors."+s)),e||(e=t(s)),e}function o(t){var e=null;return null===u&&(u=r(a,"$Config.urls")),null!==u&&t&&(e=r(u,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}var a=window,i=null,u=null,l=null,s="GENERIC_ERROR";a.GetString=t,a.GetErrorString=e,a.GetUrl=o}(),function(){var r=window,n=r.$Config||{};r.$B=n.browser||{}}();

//]]></script>

    <style type="text/css">
        #hero-image-container
        {
            background-image: url('https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png');
        }
    </style>
</head>

<body class="ltr" style="display: none">
    <script type="text/javascript">//<![CDATA[
!function(){var o=window,l=o.document,n=o.$Config||{};o.self===o.top?l.body.style.display="block":n.allowFrame||(o.top.location=o.self.location)}();

//]]></script>
    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/jquery.1.11.min.js"></script>

    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/aad.login.proxy.min.js"></script>

    <script type="text/javascript">//<![CDATA[
!function(){var e=window,t=e.document,i=e.navigator,a=e.$Config;if(i.userAgent.match(/IEMobile\/10\.0/)){var n=t.createElement("style");n.appendChild(t.createTextNode("@@-ms-viewport{width:auto!important}")),n.appendChild(t.createTextNode("@@-ms-viewport{height:auto!important}")),t.getElementsByTagName("head")[0].appendChild(n)}else if((i.userAgent.match(/iPad/)||i.userAgent.match(/iPhone/))&&e.innerWidth)try{var r=t.querySelector("meta[name=viewport]");r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0"),e.onresize=function(){r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0")}}catch(o){}var l=!!("ontouchstart"in window)||i.msMaxTouchPoints>0;if(!l&&!a.isMetro2Ux){var d="hovereffect";if(!t.getElementById(d)){var m=t.getElementsByTagName("head")[0],h=t.createElement("link");h.id=d,h.rel="stylesheet",h.type="text/css",h.href=e.GetUrl("Style.LoginHover"),h.media="all",m.appendChild(h)}}}();

//]]></script>
    


    <div id="maincontent">
        <div id="hero-image-panel">
            <div id="hero-image-container" class="animation-opacity"></div>
        </div>
        <div id="workload-panel">
            

<noscript>
    <style>
        body { display: block; }
    </style>              
    <div class="h2 no-js"><H1>We can't sign you in</H1><p>Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service.</p><p>To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check the online help in your web browser.</p></div>
</noscript>
<div id="no-cookie-section" class="no-cookie no-display"> 
    <div class="h3 no-cookie"><H1>We can't sign you in</H1><p>Your browser is currently set to block cookies. You need to allow cookies to use this service.</p><p>Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser.</p></div>
</div>

            <div id="legal-section" class="legal-section no-display"></div>
            <div id="login-section" class="login-section">
                <div id="login-section-layout">
                    <div id="logo-panel">
                        

    <div class="text-subheader animation-margin">SNCR-ORBIT</div>

                    </div>
                    <div id="main-panel" class="animation-margin">
                        <div id="main-panel-content">




<div>

    <div id="error-msg-container" class="error_msg no-display alert alert-error">
        <div id ="cta_client_error_text" class="client_error_msg"></div>
    </div>
</div>


<div id="tiles-view" class="no-display">
    <div class="text-body">Which account do you want to use?</div>
    <div id="tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="tiles-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>
</div>
<a id="menu-container" class="no-display"></a>

<div id="disambig-view" class="no-display">
    <div id="disambig-desc" class="text-body no-display"></div>
    <div id="splitter-tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="disambig-back-button" value="Back" class="btn marginTop" type="button" />
    </div>

    <div class="marginTop no-display">
        <input id="disambig-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>

    <div id="disambigHelpContainer" class="stdMarginTop">
        
        Tired of seeing this? <a href="#" id="iDisambigRenameLink">Rename your personal Microsoft account.</a>
    </div>
</div>

<div id="redirect-view" class="no-display">
    <div id="redirect-dots-animation" class="progress">
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
    </div>

    <div id="redirect-message-container">
        <div>
            <span id="redirect-message-text-org" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <span id="redirect-message-text-msa" class="no-display">We‘re taking you to the Microsoft account sign-in page.</span>
            <span id="redirect-message-text-pta" class="no-display">Trying to sign you in</span>
            
            <span id="redirect-message-text-cloudfed" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <a id="redirect-cancel-link" href="#">Cancel</a>
        </div>
    </div>
</div>

<div id="login-view" class="login-view no-display">
    <form id="credentials" method="post" action="/common/login">
        <div class="row" id="login-label">
            <div class="text-caption">Work or school, or personal Microsoft account</div>
        </div>

        <div id="cred-userid-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-userid-inputtext"
                       class="required email form-control"
                       type="email"
                       name="login"
                       placeholder="Email or phone"
                       spellcheck="false"
                       alt="Email or phone"
                       aria-label="User account"
                       value=""
                       autocomplete="off" />
            </div>
        </div>

        <div id="fixed-userid-container" class="row no-display"></div>

        <div id="cred-password-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-password-inputtext"
                       class="required field form-control"
                       type="password"
                       name="passwd"
                       placeholder="Password"
                       spellcheck="false"
                       aria-label="Password"
                       alt="Password" />
            </div>
        </div>

            <div class="col-xs-24 form-group checkbox">
                <label>
                    <input id="cred_keep_me_signed_in_checkbox" type="checkbox" value="0" name="persist">
                    <span id="keep_me_signed_in_label_text">Keep me signed in</span>
                </label>
            </div>

        <div class="text-body btn-group">
            <input id="submit-button"
                   value="Sign in"
                   class="btn btn-primary"
                   type="submit" />

            
            <input id="login-back-button"
                   value="Back"
                   class="btn no-display"
                   type="button" />

            
            <input id="login-cancel-button"
                   value="Cancel"
                   class="btn no-display"
                   type="button" />
        </div>

        <input type="hidden" name="ctx" value="rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0" />
        <input type="hidden" name="flowToken" value="AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA" />
        <input type="hidden" name="canary" value="/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1"/> 
        <input type="hidden" name="dssoToken" id="dssoToken" /> 
    </form>



    <div id="login-cred-options-container" class="row">
            <div id="forgot-password-container" class="col-xs-24 stdMarginTop">
                <a href="#" id="forgot-password-title">Can’t access your account?</a>
                <div id="forgot-password-content" class="forgot-password-content no-display stdMarginTop">
                    <div>What kind of account do you have?</div>
                    <div class="col-xs-24">
                        <div class="stdMarginTop">
                            <a id="cred_msa_forgot_password_link" href="https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0">Personal account</a>
                        </div>
                        <div class="stdMarginTop">
                            <a id="cred_forgot_password_link" href="https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0&amp;mkt=en-US&amp;hosted=0">Work or school account</a>
                        </div>
                    </div>
                </div>
            </div>
                <div class="col-xs-24 stdMarginTop">
                    <a href="#" id="show-other-options-link">Other sign in options</a>
                </div>
                    <div id="signup-link-container" class="col-xs-24 stdMarginTop">
                        <a id="signup-link-v2" href="#">Get a new account</a>
                    </div>

        <div class="row no-display">
            <div id="boiler_plate" class="col-xs-24 text-caption"></div>
        </div>
    </div>
</div>

<div id="other-options-view" class="no-display">
    <div class="row">
        <div class="text-subtitle col-xs-24">Personal account</div>
    </div>

    <div class="row">
        <div class="col-xs-24 text-base">
            <img class="dialer-icon" src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/dialpad_32x32.png" />
            <a id="other-options-link" href="#">Sign in with a single-use code</a>
        </div>
    </div>

    <div class="row">
        
        <div class="col-xs-24">Sign in to your personal Microsoft account without entering your password. This helps protect your account when you're using someone else's device. <a href='#' id='single-use-learn-more'>Learn More</a></div>
    </div>


    <div class="row marginTop">
        <div class="col-xs-24 btn-group">
            <input id="other-options-back-button" type="button" class="btn" value="Back" />
        </div>
    </div>
</div>

<iframe id="msa-me-control-frame" class="no-display"></iframe></div>
                    </div>
                    <div id="footer-panel">


<div id="footer_links_container" class="login_footer_container">
    <div class="footer_inner_container">
        <table id="footer_table" class="footer_block">
                <tr>
                    <td>
                        <div>
                            <div class="corporate_footer">
                                    <div>
                                        <span class="footer_link text-caption" id="footer_copyright_link">
&#169; 2016 Microsoft                                        </span>
                                    </div>
                                    <div>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_terms" href="https://login.microsoftonline.com/termsofuse" target="_blank">Terms of use</a>
                                        </span>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_privacy" href="https://login.microsoftonline.com/privacy" target="_blank">Privacy &amp; Cookies</a>
                                        </span>
                                    </div>
                            </div>
                        </div>
                    </td>
                    <td>
                        <div class="footer_glyph">
                            <img src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/microsoft_logo.png" alt="Microsoft account symbol" />
                        </div>
                    </td>
                </tr>
        </table>
    </div>
</div>
<div id="login_prefetch_container" class="no-display">
</div>
                    </div>
                    <div id="legal-panel" class="legal_container no-display"></div>
                </div>
            </div>
        </div>
    </div>
</body>
</html> at position 29776.
	at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:278)
	at org.pac4j.core.util.InitializableWebObject.init(InitializableWebObject.java:24)
	at org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:77)
	at org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:44)
	at org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:252)
	at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:145)
	at org.pac4j.springframework.security.web.SecurityFilter.doFilter(SecurityFilter.java:50)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:106)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:90)
	at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:77)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:497)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:245)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
Caused by: com.nimbusds.oauth2.sdk.ParseException: Invalid JSON: Unexpected token <!DOCTYPE html>
<html dir="ltr">
<head>
    <title>Sign in to your account</title>
    <meta name="PageSrc" content="_Login" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <meta name="PageID" content="SignIn" />
    <meta name="SiteID" content="" />
    <meta name="ReqLC" content="1033" />
    <meta name="LocLC" content="en-US" />
    <meta name="mswebdialog-newwindowurl" content="*" />

    <link href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/proxy.min.css" rel="stylesheet" />


        <link rel="shortcut icon" href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/favicon_a.ico" />
    <script type="text/javascript">//<![CDATA[
$Config={"cobranding":{"base":"app","label":"Work or school, or personal Microsoft account","labelTenant":"Sign in to SNCR-ORBIT","active":"app","initial":"app","app":{"Illustration":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png","BannerLogo":"","LogoText":"SNCR-ORBIT","BackroundColor":"#0072C6","BoilerPlateText":""},"tenant":{}},"tiles":{"aadUsers":[],"msaUsers":[],"users":[],"otherUser":{"name":"Use another account","login":"","imageAAD":"use_another_account.png","imageMSA":"use_another_account.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"},"splitterTilesUsers":[{"id":"aad","name":"Work or school account","login":"Created by your IT department","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/work_account.png"},{"id":"msa","name":"Personal account","login":"Created by you","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/personal_account.png"}]},"constants":{"dbgMessages":[],"MEMBER_NAME":"","FEDERATION_QUERY_PARAMETERS":"?client-request-id=dd5fe9fa-7091-4e70-b74e-b8cd028fa967\u0026username=\u0026wa=wsignin1.0\u0026wtrealm=urn%3afederation%3aMicrosoftOnline\u0026wctx=estsredirect%3d2%26estsrequest%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","CONTEXT":"rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","BASE_URL":"/common/reprocess?","LATENCY_THRESHOLD":2000,"CDN_IMAGE_PATH":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/","IS_USE_OTHER_ACCOUNT_VISIBLE":true,"MAX_USER_TILES":5,"PARTNER_NAME":"Sign in with your work or school account","METRICS_MODE":1,"TokenizedStringMsgs":{"GENERIC_ERROR":"\u003cH1\u003eSorry, but we\u0027re having trouble signing you in\u003c/H1\u003e\u003cp\u003ePlease try again in a few minutes. If this doesn\u0027t work, you might want to contact your admin and report the following error: #~#ErrorCode#~#.\u003c/p\u003e","UPN_DISAMBIGUATE_MESSAGE":"It looks like {0} is used with more than one account. Which account do you want to use?"},"REALM_RESOLVER_URL":"/common/userrealm/","FORCED_SIGN_IN":false,"MSA_AUTH_URL":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026scope=openid+profile\u0026response_type=id_token\u0026display=touch\u0026uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026msproxy=1\u0026issuer=mso\u0026ui_locales=en-US","isCxhRequest":false,"isAdalRequest":false,"IS_NAME_COEXISTENCE_ACCOUNT":false,"adalUxOverride":false,"cancelRedirectUrl":"https://localhost:19999/callback?error=access_denied\u0026error_subcode=cancel","IS_MSA_FED_SUPPORTED":false,"IS_MSA_PHONE_USERNAME_SUPPORTED":true,"IS_MSA_REDIR_SUPPORTED":false,"MSA_DOMAIN":"live.com","PROMPT":"","USERNAME_HINT_TEXT":"Email or phone","IS_LOGOUT_REQUEST":false,"SHOULD_HIDE_SIGNUP":false,"USE_DARK_TILE_LOGO":false,"HAS_ERROR":false,"IS_MOBILE":false,"mobileWidthThreshold":600,"SIGNOUTFORGET_URL_TEMPLATE":"/uxlogout?sessionId={0}\u0026shouldForgetUser={1}","IS_HOLOGRAPHIC":false,"savedTiles":{"otherJSON":{"name":"Use another account","login":"","imageAAD":"other_glyph.png","imageMSA":"other_glyph.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"}},"Use_Client_Check_Msa_Flag":true,"isDebugMode":false,"request":{"uaid":"dd5fe9fa70914e70b74eb8cd028fa967","issuerIdentifier":"mso","isProxyRequest":true,"isMsaSupported":true},"Locale":"en-US","responseMode":"NotSpecified","useFormPostResponseMode":true,"appRedirectUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US","msaSignupUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US\u0026amp;signup=1\u0026amp;lw=1\u0026amp;fl=easi2","IsB2CScenario":false,"showTilesOnPageLoad":true,"isDesktopSsoEnabled":false,"OnPremPasswordValidationConfig":{"IsPollingEnabled":false,"IsPollingRequired":false,"PollUrl":"/common/onpremvalidation/Poll","MaxPolls":20,"PollingInterval":500,"Timeout":15000,"FlowToken":"AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA"},"windowsAuthenticationRequestTimeoutInMs":0},"scid":1013,"hpgact":1800,"hpgid":1000,"pgid":"SignIn","apiCanary":"AQABAAAAAADRNYRQ3dhRSrm-4K-adpCJ693fJHJVb6GCUZW2LtAowaKQ4C7zkN2kpUENr6Y0XgDIGcn2QF9NTGgpblAqrlB-vr6Hopf6-bBQQPNfwGZmOrj9bu-PafczdtFKeqkY92LAyJkq5wesw2WtJ6Wgana9yp1kH_6TA-_qP4n0zlRcwOGDIQXvzwyLGi0gT-5gJRyuNOgFv_0uGnnRO6EogkZZTTsQP1xE65pUDwBu2CEg4iAA","canary":"/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1","correlationId":"dd5fe9fa-7091-4e70-b74e-b8cd028fa967","locale":{"lc":"en-US","isRtl":false,"lcid":1033},"strings":{"msa":{"label":"(Microsoft account)","account":{"imgalttext":"Microsoft account symbol","tilealttext":"Microsoft account for {0}"},"redirect":"We‘re taking you to the Microsoft account sign-in page."},"aad":{"account":{"imgalttext":"Work or school account symbol","tilealttext":"Work or school account for {0}"},"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"cloudfed":{"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"otheraccounttext":"Use another account","clickformore":"Click for more actions","connectedtowindows":"Connected to Windows","signedin":"Signed in","clicktosignin":"","signingout":"Signing out...","accountimagealttext":"User account image","header":{"text":{"username":"Sign in with your work account","password":"Enter your password","privacy":"Privacy statement"}},"disambiguation":{"description":"It looks like {0} is used with more than one account. Which account do you want to use?","timeout":"We\u0027re having trouble locating your account. Which type of account do you want to use?"},"fido20":{"getassertionuserprompt":"Use your PIN or Windows Hello to prove you own {0}"},"errors":{"30136":"Type the email address of the account you want to sign in with.","30064":{"title":"This doesn\u0027t look like a valid user ID","description":"Your user ID should look like an email address, for example som...@contoso.com or som...@contoso.onmicrosoft.com."},"30008":"Sign in to {0}","30067":"\u003cH1\u003eWe don\u0027t recognize this user ID or password\u003c/H1\u003e\u003cp\u003eBe sure to type the password for your work or school account.\u003c/p\u003e","30068":{"title":"\u003cH1\u003e{0} isn\u0027t in our system\u003c/H1\u003e\u003cp\u003eMake sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com\u003c/p\u003e","description":"Make sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com"},"30111":"Please enter your password.","30127":"To sign in, start by entering a user ID.","30140":"We\u0027re having trouble locating your account. Which type of account do you want to use?","30145":"Check the email address you entered. You may have mistyped it.","30146":{"title":"We couldn\u0027t find an account with that email address.","description":"Enter a different email address or \u003ca id=\u0022user-not-found-link\u0022 href=\u0022#\u0022\u003eget a new Microsoft account\u003c/a\u003e."},"30168":{"title":"We don\u0027t recognize this domain name","description":"Make sure you typed your organization\u0027s domain name correctly. It usually looks like @example.com or @example.onmicrosoft.com."},"30173":"Which type of account do you want to sign in with?","30200":"You may still be signed in to some applications. Close your browser to finish signing out.","catchall":"We didn\u0027t receive a response. Please try again."}},"enums":{"ClientMetricsModes":{"None":0,"SubmitOnPost":1,"SubmitOnRedirect":2,"InstrumentPlt":4},"NameSpaceType":{"None":0,"Managed":1,"Federated":2},"ErrorCodes":{"None":0,"ForceSignIn":2147749900,"NotAuthorized":2147762210,"SltRedemptionFailed":2147771649}},"urls":{"disambighelpurl":"https://go.microsoft.com/fwlink/p/?LinkID=733247","msa":{"meurl":"https://login.live.com/Me.srf?wa=wsignin1.0\u0026idpflag=direct\u0026wreply=","oauthauthorizeurl":"https://login.live.com/oauth20_authorize.srf","signouturl":"https://login.live.com/login.srf?wa=wsignout1.0\u0026wreply=","passwordreseturl":"https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","manageaccounturl":"https://account.microsoft.com","singleusecode":"http://windows.microsoft.com/en-US/windows-live/sign-in-single-use-code"},"style":{"loginhover":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/login_hover.min.css"}},"browser":{"ltr":1,"_Other":1,"Full":1,"RE_Other":1,"b":{"name":"Other","major":-1,"minor":-1.0},"os":{"name":"Other","version":""},"V":-1},"watson":{"enabled":true,"bundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watson.min.js","sbundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watsonsupport.min.js","resetErrorPeriod":5,"maxCorsScriptError":2,"maxErrorsPerPage":10},"serverDetails":{"slc":"ProXXXXnA","dc":"BL2","ri":"ESTXXXX_171","ver":{"v":[2,1,4653,2]},"rt":"2016-09-01T04:42:11"}};
//]]></script>

    
    <script type="text/javascript">//<![CDATA[
!function(){function r(r,o,a){function i(){var r=!!u.method,e=r?u.method:a[2],i=t.$WebWatson;try{e.apply(o,n(a,!r))}catch(l){return void(i&&i.submitFromException&&i.submitFromException(l))}}var u=e.r&&e.r[r];return o=o?o:this,u&&(u.skipTimeout?i():t.setTimeout(i,0)),u}function n(r,n){return Array.prototype.slice.call(r,n?3:2)}var t=window;t.$Do||(t.$Do={q:[],r:[],removeItems:[],lock:0});var e=t.$Do;e.when=function(n,t){r(n,t,arguments)||e.q.push({id:n,c:t,a:arguments})},e.register=function(n,t,o){if(!e.r[n]){e.r[n]={method:t,skipTimeout:o},e.lock++;try{for(var a=0;a<e.q.length;a++){var i=e.q[a];i.id==n&&r(n,i.c,0,i.a)&&e.removeItems.push(i)}}catch(u){throw u}finally{if(e.lock--,0===e.lock){for(var l=0;l<e.removeItems.length;l++)e.q.remove(e.removeItems[l]);e.removeItems=[]}}}},e.unregister=function(r){e.r[r]&&delete e.r[r]}}(),function(){function r(r,n,t){var e=d.createElement("script");e.id=n,e.type="text/javascript",e.setAttribute("src",r),e.defer=!1,e.async=!1,e.onload=t,e.onerror=o,e.onreadystatechange=function(){"loaded"===e.readyState&&t()};var a=d.getElementsByTagName("head")[0];a.appendChild(e)}function n(){var n=v.bundle;v.bundle=null,delete v.bundle,r(n,"WebWatson_DemandLoaded",e)}function t(){g||(c.jQuery?n():r(v.sbundle,"WebWatson_DemandSupport",n),v.sbundle&&(v.sbundle=null,delete v.sbundle),g=!0)}function e(){if(c.$WebWatson){if(c.$WebWatson.isProxy)return void o();for(;m.length>0;){var r=m.shift();r&&c.$WebWatson[r.cmdName].apply(c.$WebWatson,r.args)}}}function o(){var r=c.$WebWatson?c.$WebWatson.isProxy:!0;a(),v.loadErrorUrl&&r&&window.location.assign(v.loadErrorUrl)}function a(){m=[],c.$WebWatson=null}function i(r){return function(){var n=arguments;m.push({cmdName:r,args:n}),t()}}function u(){var r=["foundException","resetException","submit","submitFromException","showError"],n=this;n.isProxy=!0;for(var t=r.length,e=0;t>e;e++){var o=r[e];o&&(n[o]=i(o))}}function l(r,n,t,e,o,a,i,u,l){a||(a=s(i?i+2:2)),b.submit(r,n,t,e,o,a,i,u,l)}function s(r){var n=[],t=arguments.callee;try{for(;r>0;)t=t?t.caller:t,r--;for(var e=0;t&&h>e;){var o="InvalidMethod()";try{o=t.toString()}catch(a){}var i=[],u=t.args||t.arguments;if(u)for(var l=0;l<u.length;l++)i[l]=u[l];n.push({signature:o,args:i,toString:function(){return this.signature}}),t=t.caller,e++}}catch(a){}return n}var c=window,d=c.document,f=c.$Config||{},v=f.watson;if(!c.$WebWatson&&v&&v.enabled){var m=[],g=!1,h=10,b=c.$WebWatson=new u;b.CB={},b._orgErrorHandler=c.onerror,c.onerror=l,b.errorHooked=!0}}(),function(){function r(r,n){for(var t=n.split("."),e=t.length,o=0;e>o&&null!==r&&void 0!==r;)r=r[t[o++]];return r}function n(n){var t=null;return null===l&&(l=r(a,"Constants")),null!==l&&n&&(t=r(l,n)),null===t||void 0===t?"":t.toString()}function t(t){var e=null;return null===i&&(i=r(a,"$Config.strings")),null!==i&&t&&(e=r(i,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}function e(r,n){var e=null;return r&&n&&n[r]&&(e=t("errors."+n[r])),e||(e=t("errors."+r)),e||(e=t("errors."+s)),e||(e=t(s)),e}function o(t){var e=null;return null===u&&(u=r(a,"$Config.urls")),null!==u&&t&&(e=r(u,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}var a=window,i=null,u=null,l=null,s="GENERIC_ERROR";a.GetString=t,a.GetErrorString=e,a.GetUrl=o}(),function(){var r=window,n=r.$Config||{};r.$B=n.browser||{}}();

//]]></script>

    <style type="text/css">
        #hero-image-container
        {
            background-image: url('https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png');
        }
    </style>
</head>

<body class="ltr" style="display: none">
    <script type="text/javascript">//<![CDATA[
!function(){var o=window,l=o.document,n=o.$Config||{};o.self===o.top?l.body.style.display="block":n.allowFrame||(o.top.location=o.self.location)}();

//]]></script>
    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/jquery.1.11.min.js"></script>

    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/aad.login.proxy.min.js"></script>

    <script type="text/javascript">//<![CDATA[
!function(){var e=window,t=e.document,i=e.navigator,a=e.$Config;if(i.userAgent.match(/IEMobile\/10\.0/)){var n=t.createElement("style");n.appendChild(t.createTextNode("@@-ms-viewport{width:auto!important}")),n.appendChild(t.createTextNode("@@-ms-viewport{height:auto!important}")),t.getElementsByTagName("head")[0].appendChild(n)}else if((i.userAgent.match(/iPad/)||i.userAgent.match(/iPhone/))&&e.innerWidth)try{var r=t.querySelector("meta[name=viewport]");r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0"),e.onresize=function(){r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0")}}catch(o){}var l=!!("ontouchstart"in window)||i.msMaxTouchPoints>0;if(!l&&!a.isMetro2Ux){var d="hovereffect";if(!t.getElementById(d)){var m=t.getElementsByTagName("head")[0],h=t.createElement("link");h.id=d,h.rel="stylesheet",h.type="text/css",h.href=e.GetUrl("Style.LoginHover"),h.media="all",m.appendChild(h)}}}();

//]]></script>
    


    <div id="maincontent">
        <div id="hero-image-panel">
            <div id="hero-image-container" class="animation-opacity"></div>
        </div>
        <div id="workload-panel">
            

<noscript>
    <style>
        body { display: block; }
    </style>              
    <div class="h2 no-js"><H1>We can't sign you in</H1><p>Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service.</p><p>To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check the online help in your web browser.</p></div>
</noscript>
<div id="no-cookie-section" class="no-cookie no-display"> 
    <div class="h3 no-cookie"><H1>We can't sign you in</H1><p>Your browser is currently set to block cookies. You need to allow cookies to use this service.</p><p>Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser.</p></div>
</div>

            <div id="legal-section" class="legal-section no-display"></div>
            <div id="login-section" class="login-section">
                <div id="login-section-layout">
                    <div id="logo-panel">
                        

    <div class="text-subheader animation-margin">SNCR-ORBIT</div>

                    </div>
                    <div id="main-panel" class="animation-margin">
                        <div id="main-panel-content">




<div>

    <div id="error-msg-container" class="error_msg no-display alert alert-error">
        <div id ="cta_client_error_text" class="client_error_msg"></div>
    </div>
</div>


<div id="tiles-view" class="no-display">
    <div class="text-body">Which account do you want to use?</div>
    <div id="tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="tiles-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>
</div>
<a id="menu-container" class="no-display"></a>

<div id="disambig-view" class="no-display">
    <div id="disambig-desc" class="text-body no-display"></div>
    <div id="splitter-tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="disambig-back-button" value="Back" class="btn marginTop" type="button" />
    </div>

    <div class="marginTop no-display">
        <input id="disambig-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>

    <div id="disambigHelpContainer" class="stdMarginTop">
        
        Tired of seeing this? <a href="#" id="iDisambigRenameLink">Rename your personal Microsoft account.</a>
    </div>
</div>

<div id="redirect-view" class="no-display">
    <div id="redirect-dots-animation" class="progress">
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
    </div>

    <div id="redirect-message-container">
        <div>
            <span id="redirect-message-text-org" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <span id="redirect-message-text-msa" class="no-display">We‘re taking you to the Microsoft account sign-in page.</span>
            <span id="redirect-message-text-pta" class="no-display">Trying to sign you in</span>
            
            <span id="redirect-message-text-cloudfed" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <a id="redirect-cancel-link" href="#">Cancel</a>
        </div>
    </div>
</div>

<div id="login-view" class="login-view no-display">
    <form id="credentials" method="post" action="/common/login">
        <div class="row" id="login-label">
            <div class="text-caption">Work or school, or personal Microsoft account</div>
        </div>

        <div id="cred-userid-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-userid-inputtext"
                       class="required email form-control"
                       type="email"
                       name="login"
                       placeholder="Email or phone"
                       spellcheck="false"
                       alt="Email or phone"
                       aria-label="User account"
                       value=""
                       autocomplete="off" />
            </div>
        </div>

        <div id="fixed-userid-container" class="row no-display"></div>

        <div id="cred-password-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-password-inputtext"
                       class="required field form-control"
                       type="password"
                       name="passwd"
                       placeholder="Password"
                       spellcheck="false"
                       aria-label="Password"
                       alt="Password" />
            </div>
        </div>

            <div class="col-xs-24 form-group checkbox">
                <label>
                    <input id="cred_keep_me_signed_in_checkbox" type="checkbox" value="0" name="persist">
                    <span id="keep_me_signed_in_label_text">Keep me signed in</span>
                </label>
            </div>

        <div class="text-body btn-group">
            <input id="submit-button"
                   value="Sign in"
                   class="btn btn-primary"
                   type="submit" />

            
            <input id="login-back-button"
                   value="Back"
                   class="btn no-display"
                   type="button" />

            
            <input id="login-cancel-button"
                   value="Cancel"
                   class="btn no-display"
                   type="button" />
        </div>

        <input type="hidden" name="ctx" value="rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0" />
        <input type="hidden" name="flowToken" value="AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA" />
        <input type="hidden" name="canary" value="/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1"/> 
        <input type="hidden" name="dssoToken" id="dssoToken" /> 
    </form>



    <div id="login-cred-options-container" class="row">
            <div id="forgot-password-container" class="col-xs-24 stdMarginTop">
                <a href="#" id="forgot-password-title">Can’t access your account?</a>
                <div id="forgot-password-content" class="forgot-password-content no-display stdMarginTop">
                    <div>What kind of account do you have?</div>
                    <div class="col-xs-24">
                        <div class="stdMarginTop">
                            <a id="cred_msa_forgot_password_link" href="https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0">Personal account</a>
                        </div>
                        <div class="stdMarginTop">
                            <a id="cred_forgot_password_link" href="https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0&amp;mkt=en-US&amp;hosted=0">Work or school account</a>
                        </div>
                    </div>
                </div>
            </div>
                <div class="col-xs-24 stdMarginTop">
                    <a href="#" id="show-other-options-link">Other sign in options</a>
                </div>
                    <div id="signup-link-container" class="col-xs-24 stdMarginTop">
                        <a id="signup-link-v2" href="#">Get a new account</a>
                    </div>

        <div class="row no-display">
            <div id="boiler_plate" class="col-xs-24 text-caption"></div>
        </div>
    </div>
</div>

<div id="other-options-view" class="no-display">
    <div class="row">
        <div class="text-subtitle col-xs-24">Personal account</div>
    </div>

    <div class="row">
        <div class="col-xs-24 text-base">
            <img class="dialer-icon" src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/dialpad_32x32.png" />
            <a id="other-options-link" href="#">Sign in with a single-use code</a>
        </div>
    </div>

    <div class="row">
        
        <div class="col-xs-24">Sign in to your personal Microsoft account without entering your password. This helps protect your account when you're using someone else's device. <a href='#' id='single-use-learn-more'>Learn More</a></div>
    </div>


    <div class="row marginTop">
        <div class="col-xs-24 btn-group">
            <input id="other-options-back-button" type="button" class="btn" value="Back" />
        </div>
    </div>
</div>

<iframe id="msa-me-control-frame" class="no-display"></iframe></div>
                    </div>
                    <div id="footer-panel">


<div id="footer_links_container" class="login_footer_container">
    <div class="footer_inner_container">
        <table id="footer_table" class="footer_block">
                <tr>
                    <td>
                        <div>
                            <div class="corporate_footer">
                                    <div>
                                        <span class="footer_link text-caption" id="footer_copyright_link">
&#169; 2016 Microsoft                                        </span>
                                    </div>
                                    <div>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_terms" href="https://login.microsoftonline.com/termsofuse" target="_blank">Terms of use</a>
                                        </span>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_privacy" href="https://login.microsoftonline.com/privacy" target="_blank">Privacy &amp; Cookies</a>
                                        </span>
                                    </div>
                            </div>
                        </div>
                    </td>
                    <td>
                        <div class="footer_glyph">
                            <img src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/microsoft_logo.png" alt="Microsoft account symbol" />
                        </div>
                    </td>
                </tr>
        </table>
    </div>
</div>
<div id="login_prefetch_container" class="no-display">
</div>
                    </div>
                    <div id="legal-panel" class="legal_container no-display"></div>
                </div>
            </div>
        </div>
    </div>
</body>
</html> at position 29776.
	at com.nimbusds.oauth2.sdk.util.JSONUtils.parseJSON(JSONUtils.java:32)
	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.parse(JSONObjectUtils.java:65)
	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:2090)
	at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:256)
	... 41 common frames omitted
Caused by: net.minidev.json.parser.ParseException: Unexpected token <!DOCTYPE html>
<html dir="ltr">
<head>
    <title>Sign in to your account</title>
    <meta name="PageSrc" content="_Login" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes">
    <meta http-equiv="Pragma" content="no-cache">
    <meta http-equiv="Expires" content="-1">
    <meta name="PageID" content="SignIn" />
    <meta name="SiteID" content="" />
    <meta name="ReqLC" content="1033" />
    <meta name="LocLC" content="en-US" />
    <meta name="mswebdialog-newwindowurl" content="*" />

    <link href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/proxy.min.css" rel="stylesheet" />


        <link rel="shortcut icon" href="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/favicon_a.ico" />
    <script type="text/javascript">//<![CDATA[
$Config={"cobranding":{"base":"app","label":"Work or school, or personal Microsoft account","labelTenant":"Sign in to SNCR-ORBIT","active":"app","initial":"app","app":{"Illustration":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png","BannerLogo":"","LogoText":"SNCR-ORBIT","BackroundColor":"#0072C6","BoilerPlateText":""},"tenant":{}},"tiles":{"aadUsers":[],"msaUsers":[],"users":[],"otherUser":{"name":"Use another account","login":"","imageAAD":"use_another_account.png","imageMSA":"use_another_account.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"},"splitterTilesUsers":[{"id":"aad","name":"Work or school account","login":"Created by your IT department","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/work_account.png"},{"id":"msa","name":"Personal account","login":"Created by you","image":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/personal_account.png"}]},"constants":{"dbgMessages":[],"MEMBER_NAME":"","FEDERATION_QUERY_PARAMETERS":"?client-request-id=dd5fe9fa-7091-4e70-b74e-b8cd028fa967\u0026username=\u0026wa=wsignin1.0\u0026wtrealm=urn%3afederation%3aMicrosoftOnline\u0026wctx=estsredirect%3d2%26estsrequest%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","CONTEXT":"rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","BASE_URL":"/common/reprocess?","LATENCY_THRESHOLD":2000,"CDN_IMAGE_PATH":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/","IS_USE_OTHER_ACCOUNT_VISIBLE":true,"MAX_USER_TILES":5,"PARTNER_NAME":"Sign in with your work or school account","METRICS_MODE":1,"TokenizedStringMsgs":{"GENERIC_ERROR":"\u003cH1\u003eSorry, but we\u0027re having trouble signing you in\u003c/H1\u003e\u003cp\u003ePlease try again in a few minutes. If this doesn\u0027t work, you might want to contact your admin and report the following error: #~#ErrorCode#~#.\u003c/p\u003e","UPN_DISAMBIGUATE_MESSAGE":"It looks like {0} is used with more than one account. Which account do you want to use?"},"REALM_RESOLVER_URL":"/common/userrealm/","FORCED_SIGN_IN":false,"MSA_AUTH_URL":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026scope=openid+profile\u0026response_type=id_token\u0026display=touch\u0026uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026msproxy=1\u0026issuer=mso\u0026ui_locales=en-US","isCxhRequest":false,"isAdalRequest":false,"IS_NAME_COEXISTENCE_ACCOUNT":false,"adalUxOverride":false,"cancelRedirectUrl":"https://localhost:19999/callback?error=access_denied\u0026error_subcode=cancel","IS_MSA_FED_SUPPORTED":false,"IS_MSA_PHONE_USERNAME_SUPPORTED":true,"IS_MSA_REDIR_SUPPORTED":false,"MSA_DOMAIN":"live.com","PROMPT":"","USERNAME_HINT_TEXT":"Email or phone","IS_LOGOUT_REQUEST":false,"SHOULD_HIDE_SIGNUP":false,"USE_DARK_TILE_LOGO":false,"HAS_ERROR":false,"IS_MOBILE":false,"mobileWidthThreshold":600,"SIGNOUTFORGET_URL_TEMPLATE":"/uxlogout?sessionId={0}\u0026shouldForgetUser={1}","IS_HOLOGRAPHIC":false,"savedTiles":{"otherJSON":{"name":"Use another account","login":"","imageAAD":"other_glyph.png","imageMSA":"other_glyph.png","isLive":false,"link":"other","authUrl":"","sessionID":"","domainHint":"other"}},"Use_Client_Check_Msa_Flag":true,"isDebugMode":false,"request":{"uaid":"dd5fe9fa70914e70b74eb8cd028fa967","issuerIdentifier":"mso","isProxyRequest":true,"isMsaSupported":true},"Locale":"en-US","responseMode":"NotSpecified","useFormPostResponseMode":true,"appRedirectUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US","msaSignupUrl":"https://login.live.com/oauth20_authorize.srf?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3\u0026amp;scope=openid+profile\u0026amp;response_type=id_token\u0026amp;display=touch\u0026amp;uaid=dd5fe9fa70914e70b74eb8cd028fa967\u0026amp;msproxy=1\u0026amp;issuer=mso\u0026amp;ui_locales=en-US\u0026amp;signup=1\u0026amp;lw=1\u0026amp;fl=easi2","IsB2CScenario":false,"showTilesOnPageLoad":true,"isDesktopSsoEnabled":false,"OnPremPasswordValidationConfig":{"IsPollingEnabled":false,"IsPollingRequired":false,"PollUrl":"/common/onpremvalidation/Poll","MaxPolls":20,"PollingInterval":500,"Timeout":15000,"FlowToken":"AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA"},"windowsAuthenticationRequestTimeoutInMs":0},"scid":1013,"hpgact":1800,"hpgid":1000,"pgid":"SignIn","apiCanary":"AQABAAAAAADRNYRQ3dhRSrm-4K-adpCJ693fJHJVb6GCUZW2LtAowaKQ4C7zkN2kpUENr6Y0XgDIGcn2QF9NTGgpblAqrlB-vr6Hopf6-bBQQPNfwGZmOrj9bu-PafczdtFKeqkY92LAyJkq5wesw2WtJ6Wgana9yp1kH_6TA-_qP4n0zlRcwOGDIQXvzwyLGi0gT-5gJRyuNOgFv_0uGnnRO6EogkZZTTsQP1xE65pUDwBu2CEg4iAA","canary":"/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1","correlationId":"dd5fe9fa-7091-4e70-b74e-b8cd028fa967","locale":{"lc":"en-US","isRtl":false,"lcid":1033},"strings":{"msa":{"label":"(Microsoft account)","account":{"imgalttext":"Microsoft account symbol","tilealttext":"Microsoft account for {0}"},"redirect":"We‘re taking you to the Microsoft account sign-in page."},"aad":{"account":{"imgalttext":"Work or school account symbol","tilealttext":"Work or school account for {0}"},"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"cloudfed":{"redirect":"We\u0027re taking you to your organization\u0027s sign-in page."},"otheraccounttext":"Use another account","clickformore":"Click for more actions","connectedtowindows":"Connected to Windows","signedin":"Signed in","clicktosignin":"","signingout":"Signing out...","accountimagealttext":"User account image","header":{"text":{"username":"Sign in with your work account","password":"Enter your password","privacy":"Privacy statement"}},"disambiguation":{"description":"It looks like {0} is used with more than one account. Which account do you want to use?","timeout":"We\u0027re having trouble locating your account. Which type of account do you want to use?"},"fido20":{"getassertionuserprompt":"Use your PIN or Windows Hello to prove you own {0}"},"errors":{"30136":"Type the email address of the account you want to sign in with.","30064":{"title":"This doesn\u0027t look like a valid user ID","description":"Your user ID should look like an email address, for example som...@contoso.com or som...@contoso.onmicrosoft.com."},"30008":"Sign in to {0}","30067":"\u003cH1\u003eWe don\u0027t recognize this user ID or password\u003c/H1\u003e\u003cp\u003eBe sure to type the password for your work or school account.\u003c/p\u003e","30068":{"title":"\u003cH1\u003e{0} isn\u0027t in our system\u003c/H1\u003e\u003cp\u003eMake sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com\u003c/p\u003e","description":"Make sure you typed your email address correctly. It usually looks like som...@example.com or som...@example.onmicrosoft.com"},"30111":"Please enter your password.","30127":"To sign in, start by entering a user ID.","30140":"We\u0027re having trouble locating your account. Which type of account do you want to use?","30145":"Check the email address you entered. You may have mistyped it.","30146":{"title":"We couldn\u0027t find an account with that email address.","description":"Enter a different email address or \u003ca id=\u0022user-not-found-link\u0022 href=\u0022#\u0022\u003eget a new Microsoft account\u003c/a\u003e."},"30168":{"title":"We don\u0027t recognize this domain name","description":"Make sure you typed your organization\u0027s domain name correctly. It usually looks like @example.com or @example.onmicrosoft.com."},"30173":"Which type of account do you want to sign in with?","30200":"You may still be signed in to some applications. Close your browser to finish signing out.","catchall":"We didn\u0027t receive a response. Please try again."}},"enums":{"ClientMetricsModes":{"None":0,"SubmitOnPost":1,"SubmitOnRedirect":2,"InstrumentPlt":4},"NameSpaceType":{"None":0,"Managed":1,"Federated":2},"ErrorCodes":{"None":0,"ForceSignIn":2147749900,"NotAuthorized":2147762210,"SltRedemptionFailed":2147771649}},"urls":{"disambighelpurl":"https://go.microsoft.com/fwlink/p/?LinkID=733247","msa":{"meurl":"https://login.live.com/Me.srf?wa=wsignin1.0\u0026idpflag=direct\u0026wreply=","oauthauthorizeurl":"https://login.live.com/oauth20_authorize.srf","signouturl":"https://login.live.com/login.srf?wa=wsignout1.0\u0026wreply=","passwordreseturl":"https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0","manageaccounturl":"https://account.microsoft.com","singleusecode":"http://windows.microsoft.com/en-US/windows-live/sign-in-single-use-code"},"style":{"loginhover":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/login_hover.min.css"}},"browser":{"ltr":1,"_Other":1,"Full":1,"RE_Other":1,"b":{"name":"Other","major":-1,"minor":-1.0},"os":{"name":"Other","version":""},"V":-1},"watson":{"enabled":true,"bundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watson.min.js","sbundle":"https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/watsonsupport.min.js","resetErrorPeriod":5,"maxCorsScriptError":2,"maxErrorsPerPage":10},"serverDetails":{"slc":"ProXXXXnA","dc":"BL2","ri":"ESTXXXX_171","ver":{"v":[2,1,4653,2]},"rt":"2016-09-01T04:42:11"}};
//]]></script>

    
    <script type="text/javascript">//<![CDATA[
!function(){function r(r,o,a){function i(){var r=!!u.method,e=r?u.method:a[2],i=t.$WebWatson;try{e.apply(o,n(a,!r))}catch(l){return void(i&&i.submitFromException&&i.submitFromException(l))}}var u=e.r&&e.r[r];return o=o?o:this,u&&(u.skipTimeout?i():t.setTimeout(i,0)),u}function n(r,n){return Array.prototype.slice.call(r,n?3:2)}var t=window;t.$Do||(t.$Do={q:[],r:[],removeItems:[],lock:0});var e=t.$Do;e.when=function(n,t){r(n,t,arguments)||e.q.push({id:n,c:t,a:arguments})},e.register=function(n,t,o){if(!e.r[n]){e.r[n]={method:t,skipTimeout:o},e.lock++;try{for(var a=0;a<e.q.length;a++){var i=e.q[a];i.id==n&&r(n,i.c,0,i.a)&&e.removeItems.push(i)}}catch(u){throw u}finally{if(e.lock--,0===e.lock){for(var l=0;l<e.removeItems.length;l++)e.q.remove(e.removeItems[l]);e.removeItems=[]}}}},e.unregister=function(r){e.r[r]&&delete e.r[r]}}(),function(){function r(r,n,t){var e=d.createElement("script");e.id=n,e.type="text/javascript",e.setAttribute("src",r),e.defer=!1,e.async=!1,e.onload=t,e.onerror=o,e.onreadystatechange=function(){"loaded"===e.readyState&&t()};var a=d.getElementsByTagName("head")[0];a.appendChild(e)}function n(){var n=v.bundle;v.bundle=null,delete v.bundle,r(n,"WebWatson_DemandLoaded",e)}function t(){g||(c.jQuery?n():r(v.sbundle,"WebWatson_DemandSupport",n),v.sbundle&&(v.sbundle=null,delete v.sbundle),g=!0)}function e(){if(c.$WebWatson){if(c.$WebWatson.isProxy)return void o();for(;m.length>0;){var r=m.shift();r&&c.$WebWatson[r.cmdName].apply(c.$WebWatson,r.args)}}}function o(){var r=c.$WebWatson?c.$WebWatson.isProxy:!0;a(),v.loadErrorUrl&&r&&window.location.assign(v.loadErrorUrl)}function a(){m=[],c.$WebWatson=null}function i(r){return function(){var n=arguments;m.push({cmdName:r,args:n}),t()}}function u(){var r=["foundException","resetException","submit","submitFromException","showError"],n=this;n.isProxy=!0;for(var t=r.length,e=0;t>e;e++){var o=r[e];o&&(n[o]=i(o))}}function l(r,n,t,e,o,a,i,u,l){a||(a=s(i?i+2:2)),b.submit(r,n,t,e,o,a,i,u,l)}function s(r){var n=[],t=arguments.callee;try{for(;r>0;)t=t?t.caller:t,r--;for(var e=0;t&&h>e;){var o="InvalidMethod()";try{o=t.toString()}catch(a){}var i=[],u=t.args||t.arguments;if(u)for(var l=0;l<u.length;l++)i[l]=u[l];n.push({signature:o,args:i,toString:function(){return this.signature}}),t=t.caller,e++}}catch(a){}return n}var c=window,d=c.document,f=c.$Config||{},v=f.watson;if(!c.$WebWatson&&v&&v.enabled){var m=[],g=!1,h=10,b=c.$WebWatson=new u;b.CB={},b._orgErrorHandler=c.onerror,c.onerror=l,b.errorHooked=!0}}(),function(){function r(r,n){for(var t=n.split("."),e=t.length,o=0;e>o&&null!==r&&void 0!==r;)r=r[t[o++]];return r}function n(n){var t=null;return null===l&&(l=r(a,"Constants")),null!==l&&n&&(t=r(l,n)),null===t||void 0===t?"":t.toString()}function t(t){var e=null;return null===i&&(i=r(a,"$Config.strings")),null!==i&&t&&(e=r(i,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}function e(r,n){var e=null;return r&&n&&n[r]&&(e=t("errors."+n[r])),e||(e=t("errors."+r)),e||(e=t("errors."+s)),e||(e=t(s)),e}function o(t){var e=null;return null===u&&(u=r(a,"$Config.urls")),null!==u&&t&&(e=r(u,t.toLowerCase())),(null===e||void 0===e)&&(e=n(t)),null===e||void 0===e?"":e.toString()}var a=window,i=null,u=null,l=null,s="GENERIC_ERROR";a.GetString=t,a.GetErrorString=e,a.GetUrl=o}(),function(){var r=window,n=r.$Config||{};r.$B=n.browser||{}}();

//]]></script>

    <style type="text/css">
        #hero-image-container
        {
            background-image: url('https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/default_signin_illustration.png');
        }
    </style>
</head>

<body class="ltr" style="display: none">
    <script type="text/javascript">//<![CDATA[
!function(){var o=window,l=o.document,n=o.$Config||{};o.self===o.top?l.body.style.display="block":n.allowFrame||(o.top.location=o.self.location)}();

//]]></script>
    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/jquery.1.11.min.js"></script>

    <script src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/cdnbundles/aad.login.proxy.min.js"></script>

    <script type="text/javascript">//<![CDATA[
!function(){var e=window,t=e.document,i=e.navigator,a=e.$Config;if(i.userAgent.match(/IEMobile\/10\.0/)){var n=t.createElement("style");n.appendChild(t.createTextNode("@@-ms-viewport{width:auto!important}")),n.appendChild(t.createTextNode("@@-ms-viewport{height:auto!important}")),t.getElementsByTagName("head")[0].appendChild(n)}else if((i.userAgent.match(/iPad/)||i.userAgent.match(/iPhone/))&&e.innerWidth)try{var r=t.querySelector("meta[name=viewport]");r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0"),e.onresize=function(){r.setAttribute("content","width="+e.innerWidth+", initial-scale=1.0, maximum-scale=1.0")}}catch(o){}var l=!!("ontouchstart"in window)||i.msMaxTouchPoints>0;if(!l&&!a.isMetro2Ux){var d="hovereffect";if(!t.getElementById(d)){var m=t.getElementsByTagName("head")[0],h=t.createElement("link");h.id=d,h.rel="stylesheet",h.type="text/css",h.href=e.GetUrl("Style.LoginHover"),h.media="all",m.appendChild(h)}}}();

//]]></script>
    


    <div id="maincontent">
        <div id="hero-image-panel">
            <div id="hero-image-container" class="animation-opacity"></div>
        </div>
        <div id="workload-panel">
            

<noscript>
    <style>
        body { display: block; }
    </style>              
    <div class="h2 no-js"><H1>We can't sign you in</H1><p>Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service.</p><p>To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check the online help in your web browser.</p></div>
</noscript>
<div id="no-cookie-section" class="no-cookie no-display"> 
    <div class="h3 no-cookie"><H1>We can't sign you in</H1><p>Your browser is currently set to block cookies. You need to allow cookies to use this service.</p><p>Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser.</p></div>
</div>

            <div id="legal-section" class="legal-section no-display"></div>
            <div id="login-section" class="login-section">
                <div id="login-section-layout">
                    <div id="logo-panel">
                        

    <div class="text-subheader animation-margin">SNCR-ORBIT</div>

                    </div>
                    <div id="main-panel" class="animation-margin">
                        <div id="main-panel-content">




<div>

    <div id="error-msg-container" class="error_msg no-display alert alert-error">
        <div id ="cta_client_error_text" class="client_error_msg"></div>
    </div>
</div>


<div id="tiles-view" class="no-display">
    <div class="text-body">Which account do you want to use?</div>
    <div id="tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="tiles-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>
</div>
<a id="menu-container" class="no-display"></a>

<div id="disambig-view" class="no-display">
    <div id="disambig-desc" class="text-body no-display"></div>
    <div id="splitter-tiles-container" class="tilesContainer"></div>

    <div class="marginTop no-display">
        <input id="disambig-back-button" value="Back" class="btn marginTop" type="button" />
    </div>

    <div class="marginTop no-display">
        <input id="disambig-cancel-button" value="Cancel" class="btn marginTop" type="button" />
    </div>

    <div id="disambigHelpContainer" class="stdMarginTop">
        
        Tired of seeing this? <a href="#" id="iDisambigRenameLink">Rename your personal Microsoft account.</a>
    </div>
</div>

<div id="redirect-view" class="no-display">
    <div id="redirect-dots-animation" class="progress">
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
        <div class="pip"></div>
    </div>

    <div id="redirect-message-container">
        <div>
            <span id="redirect-message-text-org" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <span id="redirect-message-text-msa" class="no-display">We‘re taking you to the Microsoft account sign-in page.</span>
            <span id="redirect-message-text-pta" class="no-display">Trying to sign you in</span>
            
            <span id="redirect-message-text-cloudfed" class="no-display">We&#39;re taking you to your organization&#39;s sign-in page.</span>
            <a id="redirect-cancel-link" href="#">Cancel</a>
        </div>
    </div>
</div>

<div id="login-view" class="login-view no-display">
    <form id="credentials" method="post" action="/common/login">
        <div class="row" id="login-label">
            <div class="text-caption">Work or school, or personal Microsoft account</div>
        </div>

        <div id="cred-userid-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-userid-inputtext"
                       class="required email form-control"
                       type="email"
                       name="login"
                       placeholder="Email or phone"
                       spellcheck="false"
                       alt="Email or phone"
                       aria-label="User account"
                       value=""
                       autocomplete="off" />
            </div>
        </div>

        <div id="fixed-userid-container" class="row no-display"></div>

        <div id="cred-password-container" class="row">
            <div class="form-group col-xs-24">
                <input id="cred-password-inputtext"
                       class="required field form-control"
                       type="password"
                       name="passwd"
                       placeholder="Password"
                       spellcheck="false"
                       aria-label="Password"
                       alt="Password" />
            </div>
        </div>

            <div class="col-xs-24 form-group checkbox">
                <label>
                    <input id="cred_keep_me_signed_in_checkbox" type="checkbox" value="0" name="persist">
                    <span id="keep_me_signed_in_label_text">Keep me signed in</span>
                </label>
            </div>

        <div class="text-body btn-group">
            <input id="submit-button"
                   value="Sign in"
                   class="btn btn-primary"
                   type="submit" />

            
            <input id="login-back-button"
                   value="Back"
                   class="btn no-display"
                   type="button" />

            
            <input id="login-cancel-button"
                   value="Cancel"
                   class="btn no-display"
                   type="button" />
        </div>

        <input type="hidden" name="ctx" value="rQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0" />
        <input type="hidden" name="flowToken" value="AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJoxiQE5ooDmgh417ZPMuvz-kARYED95fQSs7PMx7H_InU4izTOaleIsjHjF8PjcX1W0c_RwcEOn6Ww39Xes1DjjCFl_iGY3O_PCg_GiRCDrMqjgcfZR56wuKRovm0MyIpu3sye-XDWaL5zJ3Nl0-C7qNpro7rra91Yy7SV178B-QlLMTrGLtUiSZ7zW8CEpPmzShWzrmvZ4nBtJiGhO-PRCAA" />
        <input type="hidden" name="canary" value="/sGean8v0UM6VNIfq8YG5u+D9t2mB6wj55b3SvLczjY=6:1"/> 
        <input type="hidden" name="dssoToken" id="dssoToken" /> 
    </form>



    <div id="login-cred-options-container" class="row">
            <div id="forgot-password-container" class="col-xs-24 stdMarginTop">
                <a href="#" id="forgot-password-title">Can’t access your account?</a>
                <div id="forgot-password-content" class="forgot-password-content no-display stdMarginTop">
                    <div>What kind of account do you have?</div>
                    <div class="col-xs-24">
                        <div class="stdMarginTop">
                            <a id="cred_msa_forgot_password_link" href="https://account.live.com/password/reset?wreply=https:%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0">Personal account</a>
                        </div>
                        <div class="stdMarginTop">
                            <a id="cred_forgot_password_link" href="https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAdNiNtIzsFJJMTU3Mza0TNQ1N01J1TWxNEjTTUpOTtVNNUpKSzZJNDewTDUuEuIS-PUy_u7EggK_7X47zjL1r0xfxaiQUVJSUGylr5-Tn5yYk5FfXGJlaAkE-kBeTlJicvYORsYLjIy3mPj9HUtLMoxARH5RZlXqIwyRScyi-QWpeZkpyfl5eanJJXqZKSX52al5m5jZkvNzc_PzdjGrmJmlpBompabqphiaWOiamJok6SaaGKbpGhonJVmmWZhbmBkkn2Lmg5ijUFCUn5aZk3qJmQ0icImZHSp0g5nxAgvjDxbGRaxAb3Ep2aupJlxyn-Ar9fGxgqHbKVZ9_WL31MQ8izKDUF-zMD_PtEKLSHfTUm0XyxKjXCez8ixT0yTj4DKf5KqsSFszK8MDnIwA0&amp;mkt=en-US&amp;hosted=0">Work or school account</a>
                        </div>
                    </div>
                </div>
            </div>
                <div class="col-xs-24 stdMarginTop">
                    <a href="#" id="show-other-options-link">Other sign in options</a>
                </div>
                    <div id="signup-link-container" class="col-xs-24 stdMarginTop">
                        <a id="signup-link-v2" href="#">Get a new account</a>
                    </div>

        <div class="row no-display">
            <div id="boiler_plate" class="col-xs-24 text-caption"></div>
        </div>
    </div>
</div>

<div id="other-options-view" class="no-display">
    <div class="row">
        <div class="text-subtitle col-xs-24">Personal account</div>
    </div>

    <div class="row">
        <div class="col-xs-24 text-base">
            <img class="dialer-icon" src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/dialpad_32x32.png" />
            <a id="other-options-link" href="#">Sign in with a single-use code</a>
        </div>
    </div>

    <div class="row">
        
        <div class="col-xs-24">Sign in to your personal Microsoft account without entering your password. This helps protect your account when you're using someone else's device. <a href='#' id='single-use-learn-more'>Learn More</a></div>
    </div>


    <div class="row marginTop">
        <div class="col-xs-24 btn-group">
            <input id="other-options-back-button" type="button" class="btn" value="Back" />
        </div>
    </div>
</div>

<iframe id="msa-me-control-frame" class="no-display"></iframe></div>
                    </div>
                    <div id="footer-panel">


<div id="footer_links_container" class="login_footer_container">
    <div class="footer_inner_container">
        <table id="footer_table" class="footer_block">
                <tr>
                    <td>
                        <div>
                            <div class="corporate_footer">
                                    <div>
                                        <span class="footer_link text-caption" id="footer_copyright_link">
&#169; 2016 Microsoft                                        </span>
                                    </div>
                                    <div>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_terms" href="https://login.microsoftonline.com/termsofuse" target="_blank">Terms of use</a>
                                        </span>
                                        <span class="footer_link">
                                            <a class="text-caption" id="footer_link_privacy" href="https://login.microsoftonline.com/privacy" target="_blank">Privacy &amp; Cookies</a>
                                        </span>
                                    </div>
                            </div>
                        </div>
                    </td>
                    <td>
                        <div class="footer_glyph">
                            <img src="https://secure.aadcdn.microsoftonline-p.com/ests/2.1.4653.2/content/images/microsoft_logo.png" alt="Microsoft account symbol" />
                        </div>
                    </td>
                </tr>
        </table>
    </div>
</div>
<div id="login_prefetch_container" class="no-display">
</div>
                    </div>
                    <div id="legal-panel" class="legal_container no-display"></div>
                </div>
            </div>
        </div>
    </div>
</body>
</html> at position 29776.
	at net.minidev.json.parser.JSONParserBase.readMain(JSONParserBase.java:385)
	at net.minidev.json.parser.JSONParserBase.parse(JSONParserBase.java:156)
	at net.minidev.json.parser.JSONParserString.parse(JSONParserString.java:56)
	at net.minidev.json.parser.JSONParserString.parse(JSONParserString.java:37)
	at net.minidev.json.parser.JSONParser.parse(JSONParser.java:140)
	at com.nimbusds.oauth2.sdk.util.JSONUtils.parseJSON(JSONUtils.java:28)
	... 44 common frames omitted

Thanks,

Tushar

[Jérôme LELEU]

Hi,

I only tested the AzureAD support with a callback url without query parameters.

I hope that AzureAD does not care about extra parameter: can you define http://localhost:1999/callback on AzureAD side? Does it work?

Changing the defaultUrl in the callbackFilter won't solve the problem (it's the url after the authentication).

If you finally need to remove the client_name parameter, you need to:

- define the defaultClient on the Clients as the AzureAdClient

- prevent the addition of the client_name parameter with azureAdClient.setIncludeClientNameInCallbackUrl(false);

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

Any thoughts on my 2nd problem? JSON  parsing error.

Thanks,

Tushar

[Tushar surti]

Hi Jerome,

I'm still facing problem with Azure AD OIDC. Below is my XML file. I've https://localhost:19999/ in  https://apps.dev.microsoft.com. 

<mvc:resources mapping="/auth/**" location="classpath:staticweb/auth/"/>
<security:http pattern="/auth/**" security="none" />
<security:http pattern="/font/**" security="none" />
<security:http pattern="/js/**" security="none" />
<security:http pattern="/css/**" security="none" />
<security:http pattern="/img/**" security="none" />
<security:http pattern="/pages/**" security="none" />

<security:authentication-manager id="authenticationManager"/>

<bean id="pac4jEntryPoint" class="org.pac4j.springframework.security.web.Pac4jEntryPoint" />

<bean id="callbackFilter" class="org.pac4j.springframework.security.web.CallbackFilter">
  <property name="config" ref="config" />
  <property name="multiProfile" value="false" />

  <!--<property name="defaultUrl" value="https://localhost:19999/" />-->

</bean>
<security:http create-session="always" pattern="/callback*" entry-point-ref="pac4jEntryPoint">
  <security:csrf disabled="true"/>
  <security:custom-filter position="BASIC_AUTH_FILTER" ref="callbackFilter" />
</security:http>

<bean id="oidcSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">
   <property name="config" ref="config" />
   <property name="clients" value="AzureAdClient" />
</bean>
<security:http create-session="always" pattern="/**" entry-point-ref="pac4jEntryPoint">
   <security:custom-filter position="BASIC_AUTH_FILTER" ref="oidcSecurityFilter" />
   <security:csrf disabled="true" />
   <security:anonymous enabled="false" />
   <security:logout logout-success-url="/" />
</security:http>

  <!-- security configuration -->
  <bean id="roleAdminAuthGenerator" class="com.gs.wmf.lifeboat.pac4j.RoleAdminAuthGenerator" />
  <bean id="azureOidcClient" class="org.pac4j.oidc.client.AzureAdClient">

    <property name="includeClientNameInCallbackUrl" value="false" />

    <property name="clientID" value="d576319a-75de-490f-bcce-e2bfc4a709e3" />
    <property name="secret" value="EMgSeMKyyfxVH6eFSw7njEj" />
    <property name="authorizationGenerator" ref="roleAdminAuthGenerator" />

    <property name="discoveryURI" value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&amp;scope=openid+profile" />
    <!--<property name="discoveryURI" value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&amp;scope=openid+profile&amp;response_type=id_token" />-->
  </bean>

  <bean id="clients" class="org.pac4j.core.client.Clients">

    <property name="callbackUrl" value="https://localhost:19999/" />
    <property name="defaultClient" ref="azureOidcClient" />

    <property name="clients">
      <list>
        <ref bean="azureOidcClient" />
      </list>
    </property>
  </bean>

---------------------------------------------------------------

Below is the error.

Could you please guide me here. One more thing, I want to get only "id_token" and not "code". I think PAC4J supports only "CODE" as response_type.

Could you please let me know if there is a way to get only "id_token" in response.

Thanks,

Tushar

[Jérôme LELEU]

Hi,

I though your second issue might be related to the first one: an error page is returned instead of the expected JSON.

I see this message in the error page: Your browser is currently set to block cookies. You need to allow cookies to use this service.

Does it make sense in your case?

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Hi,

See my previous post about the error message: cookies seem to be not allowed by your browser.

Using pac4j v1.9.2-SNAPSHOT (which will be released end September), you can set the response type. The configuration must be now defined in the OidcConfiguration object which is set to the client:

final OidcConfiguration config = new OidcConfiguration();

config.setClientId(clientId);

config.setSecret(secret);

config.setDiscoveryURI(discoveryUri);

config.setResponseType("id_token");

AzureAdClient azureAdClient = new AzureAdClient(config);

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

both cookie and JS are enabled on my browser.

I think its some thing else which is giving parsing error on validating JWT token.

Any thoughts.

Thanks,

Tushar

[Tushar surti]

Jerome,

I've few more questions on PAC4J.

1) does it support OIDC for OKTA or PING? 

2) can I use unreleased snapshot version of PAC4J version v1.9.2 to get ONLY ID_TOKEN from response.

Please help me out in resolving JSON parsing error. I'm not sure what is causing this parsing failure. I tried with http://localhost:8080 and that works fine (by Manually creating the request like below)

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&scope=openid+profile&response_type=id_token&redirect_uri=(URLS TO REFIRECT)

.I mean I was able to validate the JWT token (@ http://jwt.calebb.net/) as well but it fails with my application where I've PAC4J configuration.

Looks like I'm missing something small.

Thanks,

Tushar

[Jérôme LELEU]

Hi,

1) It must.

On Okta, I haven't been able so far to create an OpenID Connect app, only SAML 2.0 ones, I opened a case.

For pingidentity, I've spent a couple of minutes trying to understand how I could create a free trial account. It doesn't seem possible.

Any feedback and successful integration will be appreciated.

2) I use this class: https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/test/java/org/pac4j/oidc/run/RunAzureAdClient.java to test the AzureAD support, I run it as a Java application.

Indeed, when I change the callback url to have some additional parameter in the query string, it fails but with this specific and clear error message:

pac4j test 11:18:51 [main] DEBUG o.p.o.c.a.OidcAuthenticator - Token response: status=400, content={"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50011: The reply address 'http://www.pac4j.org/test.html?client_name=AzureAdClient' does not match the reply address 'http://www.pac4j.org/test.html' provided when requesting Authorization code.\r\nTrace ID: 30949be5-18d8-40b0-9421-1f8454e6b86e\r\nCorrelation ID: 8b8c441f-b989-4830-9b54-4aa7828fdca4\r\nTimestamp: 2016-09-04 09:18:51Z","error_codes":[70002,50011],"timestamp":"2016-09-04 09:18:51Z","trace_id":"30949be5-18d8-40b0-9421-1f8454e6b86e","correlation_id":"8b8c441f-b989-4830-9b54-4aa7828fdca4"}

When trying your configuration, I realized your discovery url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&amp;scope=openid+profile&amp;response_type=id_token is wrong, it's an OAuth 2.0 authorize url. You need to use the appropriate discovery url.

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Update:

Here is the manual test for Okta: https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/test/java/org/pac4j/oidc/run/RunOkta.java, confirming it works.

Best regards,

Jérôme

...

[Tushar surti]

Hi Jerome,

So you mean to say, If I change the discovery URL then my problem should be resolved? 

Can I still play with unreleased snapshot of PAC4J for ID_TOKEN? or should I extend AzureADClient/ OIDCClient class to send request for ID_TOKEN only?

Thanks,

Tushar

[Jérôme LELEU]

Hi,

Yes, exactly. With the appropriate discovery url, it should work.

Yes, use the 1.9.2-SNAPSHOT for the id_token. It will be released soon (a few weeks).

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

I'm still struggling with OIDC with Azure. I got login screen for Azure but on successful login, it shows me error for multiple redirects.

Below is my config XML.

    <!--<property name="defaultUrl" value="https://localhost:19999/" />-->
  </bean>
  <security:http create-session="always" pattern="/callback*" entry-point-ref="pac4jEntryPoint">
    <security:csrf disabled="true"/>
    <security:custom-filter position="BASIC_AUTH_FILTER" ref="callbackFilter" />
  </security:http>

  <bean id="oidcSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter">
     <property name="config" ref="config" />
     <property name="clients" value="AzureAdClient" />
  </bean>
  <security:http create-session="always" pattern="/**" entry-point-ref="pac4jEntryPoint">
     <security:custom-filter position="BASIC_AUTH_FILTER" ref="oidcSecurityFilter" />
     <security:csrf disabled="true" />
     <security:anonymous enabled="false" />
     <security:logout logout-success-url="/" />
  </security:http>

    <!-- security configuration -->
    <bean id="roleAdminAuthGenerator" class="com.gs.wmf.lifeboat.pac4j.RoleAdminAuthGenerator" />
 
  <bean id="azureOidcClient" class="org.pac4j.oidc.client.AzureAdClient">
    <property name="includeClientNameInCallbackUrl" value="false" />

    <property name="clientID" value="c954e6f2-3954-4300-a36e-ae82c291b5a0" />
    <property name="secret" value="wSKpPG6xBaA7Bfy71CiCKNbLuek4pHiPdDWb7xtMcHM=" />

    <property name="authorizationGenerator" ref="roleAdminAuthGenerator" />

    <property name="discoveryURI" value="https://login.microsoftonline.com/7003a083-0078-491a-b0c6-12b3733b6121/.well-known/openid-configuration" />

    <!--<property name="discoveryURI" value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d576319a-75de-490f-bcce-e2bfc4a709e3&amp;scope=openid+profile&amp;response_type=id_token" />-->
  </bean>


    <bean id="clients" class="org.pac4j.core.client.Clients">

      <property name="callbackUrl" value="https://localhost:19999/#help" />

      <property name="defaultClient" ref="azureOidcClient" />
      <property name="clients">
        <list>
          <ref bean="azureOidcClient" />
        </list>
      </property>
    </bean>

    <bean id="config" class="org.pac4j.core.config.Config">
      <property name="clients" ref="clients" />
      <property name="authorizers">
        <map>
          <entry key="admin">
            <bean class="org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer">
              <constructor-arg name="roles" value="ROLE_USER" />
            </bean>
          </entry>
          <entry key="custom">
            <bean class="com.gs.wmf.lifeboat.pac4j.CustomAuthorizer" />
          </entry>
        </map>
      </property>
      <property name="matchers">
        <map>
          <entry key="excludedPath">

            <bean class="org.pac4j.core.matching.ExcludedPathMatcher">
              <constructor-arg name="excludePath" value="^/facebook/notprotected\.jsp$" />
            </bean>
          </entry>
        </map>
      </property>
    </bean>

  </beans>

--------------------------------------

Below is my Azure App config.

------------------

After above configuration, I see error for "too many redirects" ( with multiple 302 code )

Below is image for reference. I looks like it works but just need some correction in callback/reply URL

( Either in Config XML  or on azure Management portal ).

Could you please guide me here? what is missing or wrong with my setup?

Thanks,

Tushar

[Jérôme LELEU]

Hi,

OK I see. You define your callback filter on /callback:

  <security:http create-session="always" pattern="/callback*" entry-point-ref="pac4jEntryPoint">
    <security:csrf disabled="true"/>
    <security:custom-filter position="BASIC_AUTH_FILTER" ref="callbackFilter" />
  </security:http>

But your configuration defines your callback url on:

    <bean id="clients" class="org.pac4j.core.client.Clients">
      <property name="callbackUrl" value="https://localhost:19999/#help" />

Change your callback url in your configuration to: https://localhost:19999/callback

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

After making changes to configuration, I 'm getting below error after successful authentication with Azure AD.  

Below is the config.

<bean id="azureOidcClient" class="org.pac4j.oidc.client.AzureAdClient">

  <property name="clientID" value="c954e6f2-3954-4300-a36e-ae82c291b5a0" />
  <property name="secret" value="wSKpPG6xBaA7Bfy71CiCKNbLuek4pHiPdDWb7xtMcHM=" />
  <property name="authorizationGenerator" ref="roleAdminAuthGenerator" />

  <!--<property name="discoveryURI" value="https://login.windows.net/synchronoss.onmicrosoft.com/.well-known/openid-configuration" />-->

  <property name="discoveryURI" value="https://login.microsoftonline.com/7003a083-0078-491a-b0c6-12b3733b6121/.well-known/openid-configuration" />

</bean>


  <bean id="clients" class="org.pac4j.core.client.Clients">
    <property name="callbackUrl" value="https://localhost:19999/callback" />

    <property name="defaultClient" ref="azureOidcClient" />
    <property name="clients">
      <list>
        <ref bean="azureOidcClient" />
      </list>
    </property>
  </bean>

----------

It looks like the token response which I'm getting from Azure AD endpoint

is not valid and hence I'm getting error.

Any thoughts/suggestion? I tried manually creating the request 

as shown below .

https://login.microsoftonline.com/7003a083-0078-491a-b0c6-12b3733b6121/oauth2/authorize?

client_id=c954e6f2-3954-4300-a36e-ae82c291b5a0&scope=openid+profile&response_type=id_token&

redirect_uri=https://localhost:19999/callback&nonce=23423432424  (VALID ID TOKEN)

JWT token returned by above request (for response_type=id_token) is valid but If I change response_type to "code"

then I get invalid response.

Do you know why I get below error.

org.pac4j.core.exception.TechnicalException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client
Your help will be highly appreciated on this issue.
Thanks,
Tushar

[Jérôme LELEU]

Hi,

Can you try with pac4j-oidc v1.9.2-SNAPSHOT? And if it still fails, can you allow: testsc...@gmail.com on the tenant 'Synchronoss Technologies' so I can do some tests.

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

Finally I got it working with 1.9.2 snapshot. 

Now I'm seeing issue with logout where after logout app got redirected to login URL and then as cookie was valid , SSO worked and it does the login again.

What are my options in this case to avoid auto login? should I clear cookie  or should I configure logout end endpoint/end_session_endpoint ( with filter )? I don't have any Logout page where I can redirect the flow and I don't want to have it one either. I'm relying on ID provider only for login/logout flow.

Any best practices or suggestion?

Thanks,

Tushar

[Jérôme LELEU]

Hi,

You need to call the logout of the OpenID Connect provider to destroy the session at the provider level. There are two specs for that in the OpenID Connect protocol: http://openid.net/specs/openid-connect-frontchannel-1_0.html and http://openid.net/specs/openid-connect-backchannel-1_0.html

You should see what's available from AzureAD for logout.

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

is there any way in PAC4J to kill the session at provider level? 

Do i have to create another Azure AD Client which will hit end_session_endpoint/userinfo_endpoint  and then use that with another spring security filter (like login filter) to apply special security .

Thanks,

Tushar

[Jérôme LELEU]

Hi,

Currently, pac4j does not handle identity provider logout. It's planned for version 2.0: https://github.com/pac4j/pac4j/issues/54

Regarding Azure AD, I'm not sure this is feasible.

First search returns (https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols-oidc/#send-a-sign-out-request):

Send a sign out request

The OpenIdConnect end_session_endpoint is not currently supported by the v2.0 endpoint. This means your app cannot send a request to the v2.0 endpoint to end a user's session and clear cookies set by the v2.0 endpoint. To sign a user out, your app can simply end its own session with the user, and leave the user's session with the v2.0 endpoint in-tact. The next time the user tries to sign in, they will see a "choose account" page, with their actively signed-in accounts listed. On that page, the user can choose to sign out of any account, ending the session with the v2.0 endpoint.

although I read this (http://stackoverflow.com/questions/23732840/azure-active-directory-logout-clear-persistent-token):

9down vote

If you would like to sign the user out of the STS too, issue a logout request:https://login.windows.net/{tenantid or "common"}/oauth2/logout?post_logout_redirect_uri={URL}. The URL needs to be a reply url registered with your app in AAD.

You need to search on Google and make some attempts.

Thanks.

Best regards,

Jérôme

[Tushar surti]

Hi Jerome,

I need some more help. Actually I'm trying to make my OIDC plugin more generic.

I see below error right on google OIDC.

Below is my OIDC config.

<bean id="oidcClient" class="org.pac4j.oidc.client.${lifeboat.webSecurityOidc.client}">
  <property name="configuration" ref="odicConfig" />
</bean>

<bean id="odicConfig" class="org.pac4j.oidc.config.OidcConfiguration">
  <property name="clientId" value="${lifeboat.webSecurityOidc.clientId}" />
  <property name="secret" value="${lifeboat.webSecurityOidc.secret}" />
  <property name="discoveryURI" value="${lifeboat.webSecurityOidc.discoveryURI}" />
  <property name="responseType" value="${lifeboat.webSecurityOidc.responseType}"/>
  <property name="useNonce" value="${lifeboat.webSecurityOidc.useNonce}"/>
  <property name="responseMode" value="${lifeboat.webSecurityOidc.responseMode}"/>
  <property name="connectTimeout" value="500000"/>
</bean>

I'm creating client as per paramter class="org.pac4j.oidc.client.${lifeboat.webSecurityOidc.client} 

which is configured in my properties file. Now when I do OIDC with google, I see above error on redirects. 

I was able to login successfully but redirects failed with below error.

org.pac4j.core.exception.TechnicalException: Missing state parameter
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:77)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:31)
	at org.pac4j.core.client.IndirectClientV2.retrieveCredentials(IndirectClientV2.java:49)
I've increased timeout parameter on OidcConfiguration too but that did not help.
Could you please help me here?
Thanks,
Tushar

Thanks,

Tushar

[Tushar surti]

Hi Jerome, 

This is in continuation to my last email only. when I disabled below 4 parameter from OidcConfiguration object in bean ( as shown below) , Google OIDC works fine.

<bean id="odicConfig" class="org.pac4j.oidc.config.OidcConfiguration">
  <property name="clientId" value="${lifeboat.webSecurityOidc.clientId}" />
  <property name="secret" value="${lifeboat.webSecurityOidc.secret}" />

  <!--<property name="discoveryURI" value="${lifeboat.webSecurityOidc.discoveryURI}" />

  <property name="responseType" value="${lifeboat.webSecurityOidc.responseType}"/>
  <property name="useNonce" value="${lifeboat.webSecurityOidc.useNonce}"/>

  <property name="responseMode" value="${lifeboat.webSecurityOidc.responseMode}"/>-->
</bean>

I need these properties for AzureAD and on the other hand they are creating problem with

Google OIDC. I could not make my OIDC bean generic so that it can be turn ON/OFF

from properties file. Is there a way I can make it generic? 

I'm still working on OKTA and PING Identity for OIDC.

Thanks,

Tushar

[saurabh singhal]

Hello

putting defaultClient giving the below error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'callbackFilter' defined in ServletContext resource [/WEB-INF/spring-security.xml]: Cannot resolve reference to bean 'config' while setting bean property 'config'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'config' defined in ServletContext resource [/WEB-INF/spring-security.xml]: Cannot resolve reference to bean 'clients' while setting bean property 'clients'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clients' defined in ServletContext resource [/WEB-INF/spring-security.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyBatchUpdateException; nested PropertyAccessExceptions (1) are:

PropertyAccessException 1: org.springframework.beans.MethodInvocationException: Property 'defaultClient' threw exception; nested exception is org.pac4j.core.exception.TechnicalException: The default client must be defined in the list of clients

        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)

        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1531)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1276)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)

        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)

        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)

 

Configuration below:

   <beans:bean id="azureClient" class="org.pac4j.oidc.client.AzureAdClient">

     <beans:constructor-arg name="configuration" ref="azureConfigurationClient"/>

      <beans:property name="includeClientNameInCallbackUrl" value="false"></beans:property>

    </beans:bean>

    

<beans:bean id="azureConfigurationClient" class="org.pac4j.oidc.config.OidcConfiguration">

<beans:property name="clientAuthenticationMethod" value="NONE"/> 

<beans:property name="clientId" value="7e486a0b-6c1a-4c69-a441-4c9891b17861" />

<beans:property name="secret" value="tsVPS14hmf0Gw6yKv5Im7h+DVGj+woEymNOfFA3XpBQ=" />

<beans:property name="scope" value="address phone openid email profile" />

<beans:property name="preferredJwsAlgorithm" value="RS256"/> 

<!-- <beans:property name="responseType" value="id_token"/> -->

<!-- <beans:property name="responseMode" value="form_post"/> -->

<!-- <beans:property name="useNonce" value="true"/> -->

<!-- <beans:property name="callbackUrl" value="https://XXXXXXXXXX/XXXXX/callback/AzureAdClient"/> -->

  <beans:property name="discoveryURI" value="https://login.microsoftonline.com/XXXXXXXXXX/.well-known/openid-configuration" />

</beans:bean>

  

  

    <beans:bean id="clients" class="org.pac4j.core.client.Clients">

         <beans:property name="callbackUrl" value="${CALLBACK_URL}"/>

         <beans:property name="defaultClient" ref="azureClient"/>

        <beans:property name="clients">

        <beans:list>

         <beans:ref bean="azureClient" />

         </beans:list>

        </beans:property>

Am i Doing anything wrong ?

Please advice...

Thanks

Saurabh

...

[Jérôme LELEU]

Hi,

In the clients bean, can you put the clients setter before the defaultClient setter or use the constructor for clients?

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.