Table of Contents

🔐 Authentication & Security

The Invisible Handshake:
How Power Pages Authentication Really Works

Understanding OAuth 2.0, OpenID Connect, and SAML 2.0 in Power Pages with visual diagrams and practical examples

By Tino Rabe, Microsoft Power Pages MVP • November 6, 2025 • 25 min read

When you click "Sign in with Microsoft" on a Power Pages site, what actually happens? This guide breaks it down with simple analogies and clear visuals.

The TL;DR: Your portal asks a trusted authority (like Microsoft) to verify who you are. They confirm it, and you're in. Simple as that.

The Three Players

Before we dive into technical flows, let's establish who's involved:

🧑 You (The User)

The person trying to log in.

🏠 Power Pages (Your Portal)

Your website. It needs to know who you are before letting you in.

🏛️ Identity Provider (The Bouncer)

The trusted company that checks IDs. Common examples:

  • Microsoft Entra External ID
  • Google
  • Okta
  • Facebook

💭 The Core Question

How does your portal trust what Microsoft says?

The Answer: Digital signatures. Like a tamper-proof seal on a letter.

OAuth 2.0 / OpenID Connect Deep Dive

Common Identity Providers: Microsoft Entra External ID, Entra ID (Azure AD), Google, GitHub, Auth0, Okta (OIDC)

Protocol Flow: Authorization Code Flow with PKCE (recommended) or Hybrid Flow

🎭 Real-World Analogy: The Nightclub with Police Verification

Imagine a nightclub (Power Pages) that doesn't issue its own IDs. Instead, they trust the police station (Identity Provider) to verify everyone's identity.

  1. 1. You arrive at the club and want to get in
  2. 2. Bouncer says: "I need proof from the police station down the street"
  3. 3. You walk to the police station
  4. 4. Police verify your identity (check your passport) and give you a stamped wristband
  5. 5. You return to the club with the wristband
  6. 6. Bouncer checks the stamp (validates it's authentic) → "You're in!"

Why this works: The club trusts the police's stamp. The police only stamp wristbands for verified people. The stamp can't be forged (digital signature). The wristband expires after a few hours (token expiry).

🔧 Technical Flow: Authorization Code Flow (Step-by-Step)

Phase 1: User Initiates Login

Step 1: User clicks "Sign in with Microsoft" button on Power Pages

💡 Like walking up to the nightclub

Phase 2: Authorization Request

Step 2: Power Pages generates an authorization request with:

  • client_id - Your app's ID
  • redirect_uri - Where to return after login
  • scope - What info you need (openid, email, profile)
  • state - Random value to prevent CSRF attacks
  • nonce - Random value to prevent replay attacks

💡 Like the bouncer writing a note: "Please verify this person and send them back"

Step 3: Browser redirects user to Identity Provider (e.g., Microsoft login page)

💡 Like walking to the police station

Phase 3: User Authentication

Step 4: User enters username and password on IdP's login page

Step 5: IdP validates credentials against its user database

💡 Like the police checking your passport

Phase 4: Authorization Code Exchange

Step 6: IdP generates an Authorization Code (short-lived, single-use)

Step 7: Browser redirects back to Power Pages with the code in the URL:

https://yoursite.powerappsportals.com/signin-oidc?code=abc123&state=xyz

💡 Like getting a temporary receipt from police - not the full ID yet

Step 8: Power Pages verifies the state parameter (CSRF protection)

Step 9: Power Pages makes a backend request to IdP's token endpoint:

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=abc123&
client_id=your-client-id&
client_secret=your-secret&
redirect_uri=https://yoursite.powerappsportals.com/signin-oidc

💡 Like the club manager calling the police station to verify the receipt

Why backend? The client_secret must never be exposed to the browser!

Phase 5: Token Validation & Session Creation

Step 10: IdP returns tokens:

  • id_token (JWT) - Contains user identity claims
  • access_token - For API calls (optional in Power Pages)
  • refresh_token - To get new tokens without re-login (optional)

Step 11: Power Pages validates the id_token:

  • ✅ Signature is valid (using IdP's public key)
  • ✅ Issuer (iss) matches expected IdP
  • ✅ Audience (aud) matches our client_id
  • ✅ Token hasn't expired (exp claim)
  • ✅ Nonce matches the one we sent

💡 Like the bouncer checking the stamp is authentic and not expired

Step 12: Power Pages extracts user claims from token (email, name, etc.)

Step 13: Power Pages creates or updates contact record in Dataverse

Step 14: Power Pages creates a session cookie

Step 15: User is redirected to the originally requested page

💡 Like finally getting into the club with your verified wristband

Phase 6: Subsequent Requests

Every page load: Power Pages checks the session cookie

Token expired? Use refresh token to get new tokens (if configured)

Session expired? User must log in again

🔐 Why the Two-Step Dance? (Code → Tokens)

The Problem: If the IdP sent tokens directly in the browser URL (or as a POST to the browser), malicious JavaScript on the page could steal them.

The Solution: Authorization Code Flow separates concerns:

  • Frontend: Browser only sees a short-lived, single-use authorization code
  • Backend: Power Pages server exchanges the code for tokens using the client secret
  • Result: Tokens never touch the browser, making token theft impossible

💡 It's like getting a receipt at the police station, then the club manager calls to verify and get the full details privately.

📊 Visual Flow Diagram

sequenceDiagram autonumber actor User participant Browser participant PP as Power Pages participant IdP as Identity Provider User->>Browser: 1. Navigate to portal Browser->>PP: 2. Request protected page PP->>Browser: 3. Redirect to login page rect rgb(200, 220, 255) Note over User,Browser: User initiates login User->>Browser: 4. Click "Sign in with Azure AD" end rect rgb(255, 220, 200) Note over Browser,IdP: Authorization Request Phase Browser->>PP: 5. POST /signin-oidc PP->>PP: 6. Generate auth request
(client_id, redirect_uri, scope, state, nonce) PP->>Browser: 7. HTTP 302 Redirect to IdP Browser->>IdP: 8. GET /authorize?params end rect rgb(200, 255, 220) Note over User,IdP: User Authentication Phase IdP->>Browser: 9. Show login page User->>Browser: 10. Enter username/password Browser->>IdP: 11. POST credentials IdP->>IdP: 12. Validate credentials end rect rgb(255, 255, 200) Note over Browser,PP: Authorization Code Exchange IdP->>Browser: 13. HTTP 302 with code Browser->>PP: 14. GET /signin-oidc?code=xyz&state=abc PP->>PP: 15. Verify state parameter PP->>IdP: 16. POST /token
(code, client_id, client_secret) IdP->>IdP: 17. Validate code & client IdP->>PP: 18. Return id_token + access_token end rect rgb(220, 200, 255) Note over PP: Token Validation & Session Creation PP->>PP: 19. Validate id_token signature PP->>PP: 20. Check iss, aud, exp, nonce PP->>PP: 21. Extract user claims PP->>PP: 22. Create/update user in Dataverse PP->>PP: 23. Create session cookie end PP->>Browser: 24. Set-Cookie + Redirect to original page Browser->>PP: 25. Request original page with cookie PP->>Browser: 26. Return protected content Browser->>User: 27. Display page

💡 Diagram Legend: The colored boxes group related steps together. Numbers match the step-by-step explanation above.

Required Parameters

These parameters must be configured for authentication to work:

Parameter Description Example Value
Provider NameREQUIRED The text displayed on the sign-in button that users see on the login page "Sign in with Company Account"
"Sign in with Microsoft"
AuthorityREQUIRED The identity provider's authorization endpoint URL. This tells Power Pages where to redirect users for authentication. https://{tenant}.ciamlogin.com/ (Entra External ID)
https://login.microsoftonline.com/{tenant-id}/ (Entra ID)
https://accounts.google.com/ (Google)
Client IDREQUIRED The application (client) ID from your IdP app registration. This uniquely identifies your Power Pages site to the identity provider. 12345678-90ab-cdef-1234-567890abcdef
Redirect URLREQUIRED The Power Pages callback URL where the IdP sends users after authentication. Auto-generated by Power Pages. Always use the Copy button - never type this manually! https://yoursite.powerappsportals.com/signin-oidc
https://customdomain.com/signin-oidc
Metadata AddressREQUIRED The OpenID Connect discovery document URL. This URL contains all the IdP's endpoints, supported features, and public keys for token validation. Power Pages automatically fetches this document to configure itself. https://{tenant}.ciamlogin.com/.well-known/openid-configuration
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
ScopeREQUIRED Space-separated list of OAuth scopes to request. openid is mandatory for OpenID Connect. Add email to get the user's email address, profile to get first name and last name. openid email (minimal)
openid email profile (recommended)
Response TypeREQUIRED The OAuth flow type. code id_token (hybrid flow) is recommended for security - it provides both an authorization code (for backend token exchange) and an ID token (for immediate user info). code id_token (recommended)
code
id_token
Client SecretREQUIRED* The client secret from your IdP app registration. Required when Response Type includes code. This secret proves to the IdP that the token exchange request is coming from your authorized Power Pages site. Keep this secret secure! *Required only if Response Type contains code
Response ModeREQUIRED How the IdP returns the authentication response. form_post is recommended - it sends tokens via HTTP POST (more secure than URL fragments). form_post (recommended)
query
fragment

Optional / Advanced Parameters

These parameters provide additional control but are not required for basic authentication:

Parameter Description Default / Use Case
External LogoutOPTIONAL Enable federated sign-out. When On, signing out of Power Pages also signs the user out of the IdP (and all other apps using that IdP). When Off, only signs out of Power Pages - user remains logged into IdP. Off (default)

Turn On for: High-security scenarios requiring complete logout
Turn Off for: Users who need to stay logged into other apps
Post Logout Redirect URLOPTIONAL Where to redirect users after they sign out. Must be configured in the IdP's allowed logout URLs. https://yoursite.powerappsportals.com/
RP Initiated LogoutOPTIONAL Allow the relying party (Power Pages) to initiate sign-out at the IdP. Only works when External Logout is turned On. Off (default)

Requires: External Logout = On
Issuer FilterOPTIONAL Wildcard-based filter for multi-tenant scenarios. Use this when you want to accept tokens from multiple Azure AD tenants. The * matches any tenant ID. https://sts.windows.net/*/

Use Case: B2B portals where users from different companies authenticate
Validate AudienceOPTIONAL Enable audience validation during token validation. When On, Power Pages checks that the aud claim in the token matches one of your specified Valid Audiences. Off (default)

Production Recommendation: Turn On + set Valid Audiences
Valid AudiencesOPTIONAL Comma-separated list of allowed audience values. Only tokens with these audience claims will be accepted. Prevents token misuse across applications. api://12345678-90ab-cdef
api://app1,api://app2

Requires: Validate Audience = On
Validate IssuersOPTIONAL Enable issuer validation during token validation. When On, Power Pages only accepts tokens from IdPs in your Valid Issuers list. Off (default)

Security: Prevents token replay from unauthorized IdPs
Valid IssuersOPTIONAL Comma-separated list of allowed issuer URLs. Only tokens from these issuers will be accepted. https://sts.windows.net/{tenant1}/,https://sts.windows.net/{tenant2}/

Requires: Validate Issuers = On
Registration Claims MappingOPTIONAL Map claims from the IdP token to Dataverse contact fields during user registration. Format: contact_field=token_claim. This automatically populates user profile fields. firstname=given_name,lastname=family_name

Supported types: Text and Boolean only
Login Claims MappingOPTIONAL Map claims from the IdP token to Dataverse contact fields during every sign-in. Use this to keep contact data in sync with IdP data on every login. firstname=given_name,lastname=family_name

Tip: Use same mapping as Registration for consistency
Nonce LifetimeOPTIONAL How long (in minutes) the nonce value is valid. Nonce prevents replay attacks by ensuring each authentication request can only be used once. 10 minutes (default)

Adjust if: Users on slow networks experience timeouts
Use Token LifetimeOPTIONAL Match Power Pages session lifetime to the IdP token expiry time. When On, overrides the default 8-hour session timeout. Session ends when token expires (typically 1 hour). Off (default = 8 hours)

Turn On for: High-security portals requiring frequent re-authentication
Contact Mapping with EmailOPTIONAL Automatically associate IdP identity with Dataverse contact based on email address match.

On: If a contact with matching email exists, automatically link the IdP identity to that contact.
Off: Create new contact for every new IdP identity, even if email matches existing contact.		 On (default - recommended)

Important: When Off, same user can create multiple contacts if they use different IdPs

💡 OAuth/OIDC Quick Start

For 90% of OAuth/OIDC scenarios, you only need the Required Parameters:

  1. Register app in your IdP (Entra External ID, Google, etc.)
  2. Copy the Redirect URL from Power Pages → paste as Redirect URI in IdP
  3. Get Client ID and Client Secret from IdP
  4. Find the Metadata Address (usually in IdP app overview or endpoints section)
  5. Set Scope to openid email (or openid email profile if you need first/last name)
  6. Set Response Type to code id_token and Response Mode to form_post
  7. Test in Incognito mode!

✅ OAuth/OIDC Dos and ❌ Don'ts

DO - OAuth Best Practices

  • ✅ Use code id_token response type - Hybrid flow provides best security and user experience
  • ✅ Always request email scope - Required for user identification and contact mapping
  • ✅ Use the Copy button for Redirect URL - Typos in redirect URLs cause 80% of OAuth failures
  • ✅ Verify metadata URL is publicly accessible - Open it in browser without authentication
  • ✅ Start with minimal scopes - openid email is enough, add profile only if needed
  • ✅ Set client secret expiry to 6-12 months - Forces rotation without being too frequent
  • ✅ Test token claims in jwt.io - Verify email, name, groups arrive as expected
  • ✅ Enable diagnostic logging before testing - Power Pages → Settings → Authentication → Enable logging
  • ✅ Test with non-admin accounts - Admin accounts have different token claims
  • ✅ Configure Claims Mapping for firstname/lastname - Improves user experience on profile page

DON'T - OAuth Pitfalls

  • ❌ Don't type Redirect URL manually - One character wrong = cryptic "redirect_uri_mismatch" error
  • ❌ Don't forget the trailing slash in Authority - https://login.microsoftonline.com/{tenant-id}/ (needs trailing /)
  • ❌ Don't share Client Secrets across multiple sites - Each Power Pages site needs its own app registration
  • ❌ Don't test only in your own browser - Test in Incognito, different browsers, mobile devices
  • ❌ Don't use implicit flow - Response type id_token alone is deprecated, use code id_token
  • ❌ Don't request unnecessary scopes - More scopes = more consent prompts for users = higher drop-off
  • ❌ Don't ignore token expiry - Default 1-hour token lifetime requires session management strategy
  • ❌ Don't forget to configure Post Logout Redirect URL - Without it, users see IdP logout page instead of your site
  • ❌ Don't assume SSO = Single Sign-Out - SSO works, but Single Sign-Out is NOT supported in Power Pages
  • ❌ Don't skip Claims Mapping validation - Wrong mapping = broken user profiles

🚨 Top 5 OAuth/OIDC Configuration Mistakes

1. Redirect URI Mismatch

Problem: URL in Power Pages doesn't exactly match URL in IdP app registration (including trailing slash, http vs https, casing)

Symptom: Error "redirect_uri_mismatch" or "AADSTS50011: The redirect URI specified in the request does not match"

Fix: Use Copy button in Power Pages, paste EXACT value into IdP. Check trailing slash, protocol (https), and casing.

2. Missing or Wrong Scope

Problem: Scope doesn't include openid (mandatory) or email (needed for contact mapping)

Symptom: Authentication works but users have no email address in Power Pages, can't send notifications

Fix: Set Scope to at minimum openid email. Add profile if you need firstname/lastname.

3. Metadata URL Not Accessible

Problem: Metadata URL requires authentication or is behind firewall/VPN

Symptom: "Unable to retrieve metadata" or 404/401 errors during configuration

Fix: Metadata URL must be publicly accessible. Test by opening in browser without being logged in to any account.

4. Expired Client Secret

Problem: Client secret expired (typically after 6-24 months depending on configuration)

Symptom: Authentication worked before, suddenly stops with "invalid_client" or "AADSTS7000222" error

Fix: Generate new client secret in IdP, update in Power Pages. Set calendar reminder 30 days before next expiry.

5. Wrong Response Mode

Problem: Using query or fragment response mode with code id_token response type

Symptom: Tokens appear in browser URL bar (security risk), or errors about response mode mismatch

Fix: Always use form_post response mode - it's the most secure option for Power Pages.

🎯 OAuth/OIDC Best Practices

For Identity Provider Admins (Entra External ID, Google, Auth0)

App Registration Setup
  • One app registration per Power Pages site - Isolates configuration, easier troubleshooting, better security
  • Use descriptive app names - "Power Pages Production Customer Portal" not "App1"
  • Document all settings - Screenshot app registration settings, save in project documentation
  • Configure multiple owners - Don't rely on single person for secret rotation
Secret Management
  • Set 6-month expiry for client secrets - Balance between security (rotation) and operational overhead
  • Use descriptive secret names with expiry date - "Prod Secret (Expires Dec 2025)" not "Secret 1"
  • Create TWO secrets with staggered expiry - Allows zero-downtime rotation (update Power Pages to Secret 2, then rotate Secret 1)
  • Set calendar reminders 30 days before expiry - Prevents emergency "authentication is down" incidents
Claims & Token Configuration
  • Always include email claim - Essential for Power Pages contact mapping
  • Configure optional claims for profile data - Enable given_name, family_name in token configuration
  • Test tokens in jwt.io - Decode ID tokens to verify claims before testing in Power Pages
  • Configure group claims for role mapping - Use groups to automatically assign Power Pages roles
  • Keep token lifetime at default 1 hour - Don't extend to avoid security risks

For Power Pages Admins

Configuration & Testing
  • Always test in Incognito/Private mode - Catches cookie and cache issues
  • Enable diagnostic logging BEFORE testing - Logs show exact OAuth errors with error codes
  • Test with non-admin accounts - Admin tokens have different claims, not representative of end users
  • Test across devices - Desktop Chrome, mobile Safari, Edge - OAuth behaves differently
  • Verify email claim arrives in contact record - Check contact record after first login
Claims Mapping
  • Configure Registration Claims Mapping - firstname=given_name,lastname=family_name
  • Use same mapping for Login Claims Mapping - Keeps contact data synced with IdP on every login
  • Don't map fields users can't change - Mapping job title when users can't update it causes confusion
  • Test claims mapping with real user account - Verify mapped fields appear correctly in contact record
Session Management
  • Understand default 8-hour session - Power Pages session != token expiry (token expires at 1 hour, session continues)
  • Consider Use Token Lifetime for high-security portals - Forces re-authentication when token expires
  • Test session expiry behavior - What happens after 8 hours? Does user get clear error message?
  • Educate users about IdP session vs Power Pages session - Signing out of portal doesn't sign out of IdP

For Consultants & Developers

Troubleshooting Workflow
  • Step 1: Verify Redirect URL - 80% of OAuth issues are redirect URL mismatch
  • Step 2: Check Metadata URL accessibility - Open in browser, should return JSON without authentication
  • Step 3: Verify Client ID and Secret - Copy-paste from IdP, don't trust memory
  • Step 4: Check Scope configuration - Must include openid minimum
  • Step 5: Review Power Pages diagnostic logs - Look for specific error codes (AADSTS*, invalid_client, etc.)
  • Step 6: Use browser DevTools Network tab - Watch OAuth flow: authorization request → redirect → token exchange
Common Error Codes
  • AADSTS50011 - Redirect URI mismatch → Check exact URL in IdP vs Power Pages
  • AADSTS7000222 - Invalid client secret → Generate new secret, update Power Pages
  • AADSTS50105 - User not assigned to app → Add user to app assignment in IdP
  • invalid_request - Missing required parameter → Check Scope, Client ID, Response Type
  • unauthorized_client - Client not authorized → Check app registration settings, consent requirements
Project Delivery
  • Screenshot EVERY working config screen - Client ID, Authority, Scopes, Claims Mapping
  • Document client secret rotation process - Who does it, how often, what's the process
  • Create error runbook - Document errors seen during testing with solutions
  • Provide user documentation - Explain why users need to consent, how logout works, session timeout

Single Sign-On (SSO) with OAuth/OpenID Connect

Quick Answer: Yes! OAuth 2.0 and OpenID Connect enable SSO across multiple applications.

🔑 How SSO Works

🎭 The Concert Wristband Analogy

Imagine a music festival with multiple stages (applications):

  1. Entry gate checks your ticket and gives you a wristband
  2. Stage 1 (App 1) sees your wristband → "You're in!"
  3. Stage 2 (App 2) sees the same wristband → "You're in here too!"
  4. No need to show your ticket again at each stage

That wristband = your access token from the identity provider.

✅ What Power Pages Supports

  • Single Sign-In - Log in once, access multiple Power Pages sites (if they use the same IdP)
  • Cross-application SSO - Works with other apps using the same identity provider
  • Front-channel sign-out - Logs you out of both Power Pages AND the IdP

❌ What Power Pages Doesn't Support

  • Single Sign-Out - Logging out of one app won't log you out of all apps automatically
  • Cross-provider SSO - Can't share sessions between Google and Microsoft logins

🎯 Real-World SSO Scenarios

Scenario 1: Employee Portal + Intranet

Setup: Both use Microsoft Entra External ID

Result:

  • ✅ Employee logs into SharePoint → Gets token from Entra External ID
  • ✅ Employee visits Power Pages portal → Same token works!
  • ✅ No second login required ✅

Scenario 2: Customer Portal + Support App

Setup: Both use Okta

Result:

  • ✅ Customer logs into support app → Gets Okta token
  • ✅ Customer clicks link to Power Pages portal → Automatically signed in!
  • ✅ Seamless experience ✅

⚠️ What Breaks SSO?

  • ❌ Different identity providers - Portal uses Google, app uses Microsoft (won't share sessions)
  • ❌ Token expired - Tokens typically last 1 hour, then you need to re-authenticate
  • ❌ Different domains - Cookies don't cross domains (use same parent domain if possible)
  • ❌ Incognito/Private mode - No cookies = no SSO

🔧 Setting Up SSO

Step 1: Use the same Identity Provider everywhere

  • • All apps → Microsoft Entra External ID, OR
  • • All apps → Okta, OR
  • • All apps → Google

Step 2: Configure apps in the IdP

  • • Register each app (Power Pages, SharePoint, custom apps)
  • • Use same tenant/organization
  • • Configure proper redirect URLs for each

Step 3: Test the flow

  • • Log into App 1 → Get token
  • • Open App 2 in same browser → Should auto-login
  • • Check: No second password prompt = SSO working! ✅

📊 SSO Token Lifetime

Token Type Typical Lifetime What Happens After
ID Token 1 hour Need to refresh (usually silent)
Access Token 1 hour Need to refresh using refresh token
Refresh Token 90 days (Microsoft) Need to login again
Power Pages Session 8 hours (configurable) Redirected to login page

💡 Pro Tip: Silent Token Refresh

OAuth/OpenID Connect providers can silently refresh tokens in the background using refresh tokens. This means:

  • ✅ User's session stays active without re-login
  • ✅ Happens automatically before token expires
  • ✅ User doesn't notice anything ✅

Power Pages does this automatically. You don't need to configure anything special.

🚫 When SSO Doesn't Work

Problem: "I logged into App A but still need to login to Power Pages"

Checklist:

  • ☐ Same identity provider? (Both must use Entra External ID, not one Entra + one Google)
  • ☐ Same tenant? (Both must be in same Entra External ID tenant)
  • ☐ Same browser? (Can't SSO across different browsers)
  • ☐ Cookies enabled? (SSO needs cookies)
  • ☐ Token still valid? (Check if it expired)

🎯 SSO Best Practices

  • ✅ Keep it simple - One IdP for all apps (don't mix Google + Microsoft + Okta)
  • ✅ Communicate session limits - Tell users "Session expires in 8 hours"
  • ✅ Implement "Remember me" - Longer refresh token = less re-logins
  • ✅ Test across apps - Make sure SSO actually works before launch
  • ✅ Document the flow - So support knows what's expected

SAML 2.0 Deep Dive

Common Identity Providers: Okta, Microsoft Entra ID (Enterprise Apps), Azure AD B2C (with custom policies), Ping Identity, OneLogin, Shibboleth

Protocol Flow: SP-initiated SAML flow (Power Pages redirects user to IdP for authentication)

🎭 Real-World Analogy: The Embassy Visa System

Imagine you want to enter a foreign country (Power Pages) that requires a visa. You can't just show up - you need proof from your home country's embassy (Identity Provider) that you're authorized.

  1. 1. You arrive at the border (Power Pages login page)
  2. 2. Border Guard says: "You need a visa from your embassy" and gives you an official form (SAML Request)
  3. 3. You take the form to your embassy (IdP login page)
  4. 4. Embassy Staff verify your identity (check your passport, ask security questions)
  5. 5. Embassy stamps your visa application form (SAML Assertion) with an official seal
  6. 6. You return to the border with the stamped form
  7. 7. Border Guard verifies the embassy seal (XML signature validation), checks it's authentic → "Welcome!"

Why this works: The border guard trusts the embassy seal (both agreed on security certificates beforehand). The embassy seal is tamper-proof (XML digital signature). The visa has an expiry time (NotOnOrAfter). The visa is for this specific person (NameID matches).

🔧 Technical Flow: SP-Initiated SAML 2.0 (Step-by-Step)

Phase 1: User Initiates Login (Service Provider Initiated)

Step 1: User clicks "Sign in with Okta" (or your SAML provider) on Power Pages

💡 Like arriving at the border checkpoint

Phase 2: SAML Authentication Request (AuthnRequest)

Step 2: Power Pages generates a SAML AuthnRequest (XML document) containing:

  • Issuer - Service Provider Realm (your site's identifier)
  • AssertionConsumerServiceURL - Where to send the response
  • ID - Unique request ID (prevents replay attacks)
  • IssueInstant - Timestamp when request was created

Example SAML Request:

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="_abcd1234"
  Version="2.0"
  IssueInstant="2025-11-06T10:30:00Z"
  Destination="https://idp.example.com/saml/sso"
  AssertionConsumerServiceURL="https://yoursite.powerappsportals.com/signin-saml2">
  <saml:Issuer>https://yoursite.powerappsportals.com/</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>

💡 Like the border guard giving you an official form to take to the embassy

Step 3: Power Pages encodes the XML request (Base64), optionally compresses it (Deflate), and redirects browser to IdP:

https://idp.example.com/saml/sso?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdC...

💡 Like walking to the embassy with the form

Phase 3: User Authentication at IdP

Step 4: IdP decodes and validates the SAML Request

  • ✅ Checks Issuer is a known Service Provider
  • ✅ Validates IssueInstant isn't too old
  • ✅ Checks AssertionConsumerServiceURL is registered

Step 5: IdP shows login page to user

Step 6: User enters credentials (username/password, MFA, etc.)

Step 7: IdP validates credentials

💡 Like the embassy staff checking your passport and asking security questions

Phase 4: SAML Response (Assertion) Generation

Step 8: IdP creates a SAML Assertion (XML) containing:

  • Issuer - IdP's entityID
  • Subject/NameID - User's unique identifier (email, UPN, etc.)
  • Conditions - Audience (must match Service Provider Realm), NotBefore, NotOnOrAfter timestamps
  • AttributeStatement - User claims (email, firstname, lastname, roles)
  • AuthnStatement - When/how user authenticated

Example SAML Assertion:

<saml:Assertion ID="_xyz5678" IssueInstant="2025-11-06T10:31:00Z">
  <saml:Issuer>https://idp.example.com</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="email">john.doe@company.com</saml:NameID>
  </saml:Subject>
  <saml:Conditions NotBefore="2025-11-06T10:30:00Z" NotOnOrAfter="2025-11-06T11:31:00Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://yoursite.powerappsportals.com/</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AttributeStatement>
    <saml:Attribute Name="email"><saml:AttributeValue>john.doe@company.com</saml:AttributeValue></saml:Attribute>
    <saml:Attribute Name="firstname"><saml:AttributeValue>John</saml:AttributeValue></saml:Attribute>
  </saml:AttributeStatement>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
</saml:Assertion>

Step 9: IdP signs the XML assertion using its private key (X.509 certificate)

💡 Like the embassy stamping and sealing the visa form

Phase 5: POST Assertion Back to Service Provider

Step 10: IdP Base64-encodes the signed SAML Response

Step 11: IdP sends an auto-submitting HTML form to browser (HTTP POST binding):

<form method="POST" action="https://yoursite.powerappsportals.com/signin-saml2">
  <input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4w..." />
  <input type="submit" value="Continue" />
</form>
<script>document.forms[0].submit();</script>

Step 12: Browser automatically POSTs to Power Pages ACS URL

💡 Like returning to the border with the stamped visa

Phase 6: Assertion Validation & Session Creation

Step 13: Power Pages decodes the SAML Response

Step 14: Power Pages validates the assertion:

  • Signature Valid: Uses IdP's public key (from metadata) to verify XML signature
  • Issuer Matches: Assertion Issuer = Authentication Type (entityID)
  • Audience Matches: Audience = Service Provider Realm
  • Not Expired: Current time between NotBefore and NotOnOrAfter
  • Not Replayed: Assertion ID hasn't been used before (stored in cache)

💡 Like border guard checking: embassy seal authentic? visa for this country? not expired? not used before?

Step 15: Extract user attributes from AttributeStatement (email, name, etc.)

Step 16: Create or update contact record in Dataverse using NameID and attributes

Step 17: Create Power Pages session cookie

Step 18: Redirect user to originally requested page

💡 Like finally being allowed to cross the border

🔐 Key SAML Differences from OAuth/OIDC

1. XML Instead of JSON: SAML uses verbose XML documents. OAuth/OIDC uses compact JSON tokens.

2. Signatures on XML: SAML signs the entire XML assertion. OAuth signs JWT tokens with simpler base64 encoding.

3. No Backend Token Exchange: SAML assertion is POSTed directly to browser (but it's signed, so still secure). OAuth has a backend code-for-tokens exchange.

4. Certificate-Based Trust: SAML requires exchanging X.509 certificates beforehand. OAuth uses metadata discovery URLs.

5. Enterprise-Focused: SAML is older (2005) and common in enterprise/B2B scenarios. OAuth/OIDC is newer (2012/2014) and more modern.

📊 Visual Flow Diagram

sequenceDiagram autonumber actor User participant Browser participant PP as Power Pages
(Service Provider) participant IdP as Identity Provider
(Okta/Entra ID) User->>Browser: 1. Navigate to portal Browser->>PP: 2. Request protected page PP->>Browser: 3. Redirect to login page rect rgb(200, 220, 255) Note over User,Browser: User initiates login User->>Browser: 4. Click "Sign in with Okta" end rect rgb(255, 220, 200) Note over PP,IdP: SAML Authentication Request (AuthnRequest) Browser->>PP: 5. POST /signin-saml2 PP->>PP: 6. Generate SAML AuthnRequest XML
(Issuer, ACS URL, ID, Timestamp) PP->>Browser: 7. HTTP 302 Redirect with encoded SAML Request Browser->>IdP: 8. GET /sso?SAMLRequest=... end rect rgb(200, 255, 220) Note over User,IdP: User Authentication Phase IdP->>IdP: 9. Decode & validate SAML Request IdP->>Browser: 10. Show login page User->>Browser: 11. Enter username/password Browser->>IdP: 12. POST credentials IdP->>IdP: 13. Validate credentials end rect rgb(255, 255, 200) Note over IdP,PP: SAML Response (Assertion) Generation IdP->>IdP: 14. Create SAML Assertion XML
(Issuer, NameID, Attributes, Conditions) IdP->>IdP: 15. Sign XML with X.509 certificate IdP->>Browser: 16. Auto-submit HTML form with SAMLResponse Browser->>PP: 17. POST /signin-saml2 with SAMLResponse end rect rgb(220, 200, 255) Note over PP: Assertion Validation & Session Creation PP->>PP: 18. Decode SAML Response PP->>PP: 19. Validate XML signature (using IdP public key) PP->>PP: 20. Check Issuer, Audience, NotBefore, NotOnOrAfter PP->>PP: 21. Extract NameID & Attributes PP->>PP: 22. Create/update user in Dataverse PP->>PP: 23. Create session cookie end PP->>Browser: 24. Set-Cookie + Redirect to original page Browser->>PP: 25. Request original page with cookie PP->>Browser: 26. Return protected content Browser->>User: 27. Display page

💡 Diagram Legend: Notice how SAML uses XML (not JSON) and signs the entire assertion instead of using a backend token exchange like OAuth.

Required Parameters

These parameters must be configured for SAML authentication to work:

Parameter Description Example Value
Provider NameREQUIRED The text displayed on the sign-in button "Sign in with Okta"
"Sign in with Company SSO"
Metadata AddressREQUIRED The SAML 2.0 federation metadata document URL. This XML document contains all SAML endpoints, certificates, and supported features. Power Pages automatically parses this to configure SAML communication. https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml (Entra ID)
https://yourorg.okta.com/app/{app-id}/sso/saml/metadata (Okta)
Authentication TypeREQUIRED The entityID value from the SAML metadata document. This uniquely identifies the identity provider. You can find this by opening the Metadata Address URL in a browser and copying the <entityID> tag value from the root <EntityDescriptor> element. https://sts.windows.net/{tenant-id}/ (Entra ID)
http://www.okta.com/{externalKey} (Okta)
Service Provider RealmREQUIRED The App ID URI from your IdP app registration. This identifies your Power Pages site to the IdP (also called Audience in SAML terms). Must match exactly what you configured in the IdP as the SP Entity ID or Audience. https://yoursite.powerappsportals.com/
api://{app-id} (when using Entra ID auto-generated URI)
Assertion Consumer Service URLREQUIRED The Power Pages callback URL where the IdP sends SAML assertions after authentication (also called ACS URL). Auto-generated by Power Pages. For custom domains, update this value. Must match the IdP's configured ACS URL or Reply URL. https://yoursite.powerappsportals.com/signin-saml2
https://customdomain.com/signin-saml2

Optional / Advanced Parameters

Parameter Description Default / Use Case
Validate AudienceOPTIONAL Enable audience validation during SAML assertion validation. When On, Power Pages checks that the Audience element in the SAML assertion matches one of your Valid Audiences values. This prevents assertion replay attacks. Off (default)

Production Recommendation: Turn On for security
Valid AudiencesOPTIONAL Comma-separated list of allowed audience values. Only SAML assertions with these audience values will be accepted. Should match your Service Provider Realm. https://yoursite.powerappsportals.com/
https://site1.powerappsportals.com/,https://site2.powerappsportals.com/

Requires: Validate Audience = On
Contact Mapping with EmailOPTIONAL Automatically associate IdP identity with Dataverse contact based on email address match.

On: Link to existing contact if email matches
Off: Always create new contact for each new SAML identity		 On (default - recommended)

Important: Ensure IdP sends email claim in SAML assertion (NameID or email attribute)

🔍 How to Find the entityID (Authentication Type)

  1. Copy the Metadata Address URL from your IdP
  2. Paste it into a web browser
  3. You'll see an XML document
  4. Look for the <EntityDescriptor entityID="..."> tag at the top
  5. Copy the entityID value - that's your Authentication Type

Example: In <EntityDescriptor entityID="https://sts.windows.net/abc123/">, the entityID is https://sts.windows.net/abc123/

✅ SAML 2.0 Dos and ❌ Don'ts

DO - SAML Best Practices

  • ✅ Always verify metadata URL is accessible - Open in browser, should return XML without authentication
  • ✅ Copy entityID exactly from metadata - Including protocol (http vs https), trailing slash, casing
  • ✅ Match Service Provider Realm to IdP configuration - Must be exactly what you configured as SP Entity ID in IdP
  • ✅ Configure Name ID format in IdP - Persistent or Email format works best for Power Pages
  • ✅ Send email claim in SAML assertion - Either as NameID or as separate email attribute claim
  • ✅ Test assertion in SAML decoder tool - Use browser extension to decode SAML response, verify claims
  • ✅ Turn on Validate Audience in production - Prevents assertion replay attacks
  • ✅ Use SHA-256 signing algorithm - SHA-1 is deprecated and may be rejected
  • ✅ Configure assertion expiry appropriately - 5-10 minutes is typical, not too short (clock skew) or too long (security)
  • ✅ Document certificate renewal process - SAML certificates expire, plan renewal in advance

DON'T - SAML Pitfalls

  • ❌ Don't confuse Service Provider Realm with ACS URL - They serve different purposes (WHO you are vs WHERE to send response)
  • ❌ Don't use same value for Realm and ACS URL - Common mistake, causes validation errors
  • ❌ Don't type entityID manually - Copy exact value from metadata XML including protocol and trailing characters
  • ❌ Don't forget to configure claim rules in IdP - Power Pages needs at minimum NameID claim (email)
  • ❌ Don't use SHA-1 signing algorithm - Deprecated, may cause security warnings or rejections
  • ❌ Don't ignore certificate expiry - SAML certs expire (typically 1-3 years), plan renewal process
  • ❌ Don't test only SP-initiated flow - Some IdPs require IdP-initiated flow configuration too
  • ❌ Don't assume SAML = OAuth - Different protocols, different configuration, different error messages
  • ❌ Don't skip metadata validation - Verify metadata contains SingleSignOnService and signing certificate
  • ❌ Don't forget clock skew tolerance - Ensure IdP and Power Pages servers have synchronized time (NTP)

🚨 Top 5 SAML Configuration Mistakes

1. Service Provider Realm vs. ACS URL Confusion

Problem: Using the same value for both fields, or swapping them

Symptom: SAML assertion validation errors, "Audience mismatch" or "Invalid destination"

Fix: Service Provider Realm = WHO you are (your SP entity ID, usually your site URL). ACS URL = WHERE to send response (callback endpoint with /signin-saml2). These must be different!

2. Wrong entityID (Authentication Type)

Problem: entityID doesn't match what's in metadata document (typo, wrong protocol, missing trailing slash)

Symptom: "Unknown issuer" or "Issuer mismatch" errors

Fix: Open metadata URL in browser, find <EntityDescriptor entityID="...">, copy EXACT value. Check http vs https, trailing slash.

3. Missing Email Claim

Problem: IdP doesn't send email claim in SAML assertion, or sends it in unexpected format

Symptom: Users can authenticate but contact record has no email, or authentication succeeds but user can't be identified

Fix: Configure IdP to send email as NameID (format: EmailAddress or Persistent), or as separate http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim. Use SAML decoder to verify.

4. Metadata URL Not Accessible

Problem: Metadata URL requires authentication, behind firewall, or returns HTML instead of XML

Symptom: "Unable to retrieve metadata" or "Invalid metadata document" errors

Fix: Metadata must be publicly accessible URL returning valid XML. Test in browser without authentication. For on-prem IdPs, ensure URL is accessible from internet.

5. Clock Skew Issues

Problem: Time difference between IdP server and Power Pages service causes assertion validation failures

Symptom: Intermittent "Assertion expired" or "Assertion not yet valid" errors, especially for users in different timezones

Fix: Ensure IdP server uses NTP for time synchronization. Configure assertion validity period to 5-10 minutes (allows for some clock skew). Test from different locations/timezones.

🎯 SAML 2.0 Best Practices

For Identity Provider Admins (Okta, Entra ID, Ping)

SAML Application Setup
  • Use descriptive app names - "Power Pages Customer Portal (Production)" not "SAML App 1"
  • Configure Single Sign-On URL (ACS URL) correctly - Must end with /signin-saml2
  • Set SP Entity ID to site URL - Use https://yoursite.powerappsportals.com/ or custom domain
  • Configure Name ID format - Use "Persistent" or "Email" format for best compatibility
  • Make metadata publicly accessible - Power Pages needs to fetch metadata without authentication
Claim Configuration
  • Always send email claim - Send as NameID or as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Send firstname and lastname if available - Use givenName and surname attribute names
  • Consider sending group memberships - Can be used for Power Pages role assignment
  • Test claims with SAML decoder - Use browser extension or online tool to decode SAML response, verify all expected claims arrive
Certificate Management
  • Use SHA-256 signing algorithm - SHA-1 is deprecated
  • Set calendar reminders for certificate expiry - Typically 1-3 years, check 60 days before expiry
  • Rotate certificates without downtime - Configure new cert alongside old, update metadata, then remove old
  • Publish new certificate in metadata before activation - Allows Power Pages to pre-cache new certificate
Security Settings
  • Sign assertions, not just responses - More secure, prevents assertion substitution attacks
  • Set assertion validity to 5-10 minutes - Balance between clock skew tolerance and security
  • Don't sign with SHA-1 - Use SHA-256 or higher
  • Enable audience restriction - Limits assertion to specific SP (your Power Pages site)

For Power Pages Admins

Configuration & Testing
  • Copy Assertion Consumer Service URL from Power Pages - Don't type manually, use Copy button
  • Verify Service Provider Realm matches IdP configuration - Must be exact match (case-sensitive, trailing slash matters)
  • Test metadata URL before configuring - Open in browser, should return XML document
  • Copy entityID from metadata XML - Don't guess, copy exact value from <EntityDescriptor>
  • Enable diagnostic logging before testing - SAML errors are verbose, logs essential for debugging
  • Use SAML decoder browser extension - Decode SAML response to see exactly what IdP is sending
Troubleshooting Tools
  • Browser extension: SAML-tracer or SAML DevTools - Captures and decodes SAML requests/responses
  • Online SAML decoder - samltool.com for decoding assertions
  • Power Pages diagnostic logs - Contains full SAML assertion validation errors
  • IdP sign-in logs - Check if authentication succeeds at IdP before SAML response is sent
Production Readiness
  • Turn on Validate Audience - Set Valid Audiences to your Service Provider Realm value
  • Document certificate expiry date - Add to project docs, set calendar reminders
  • Test from multiple networks - Corporate VPN, home internet, mobile - ensure accessibility
  • Verify Contact Mapping with Email is On - Prevents duplicate contact creation

For Consultants & Developers

SAML Troubleshooting Checklist
  • Step 1: Verify metadata accessibility - Open metadata URL in browser, should return XML
  • Step 2: Check entityID matches - Compare Authentication Type in Power Pages to <EntityDescriptor entityID> in metadata
  • Step 3: Verify Service Provider Realm matches IdP - Must match SP Entity ID configured in IdP
  • Step 4: Check ACS URL is correct - Must end with /signin-saml2 and match IdP configuration
  • Step 5: Use SAML decoder - Capture SAML response, decode, verify claims (email, name, etc.)
  • Step 6: Check Power Pages diagnostic logs - Look for specific SAML validation errors
  • Step 7: Verify certificate is valid - Check expiry date, signing algorithm (should be SHA-256+)
Common SAML Error Messages
  • "Unknown issuer" → entityID (Authentication Type) doesn't match what's in assertion
  • "Audience mismatch" → Service Provider Realm doesn't match audience in assertion, or Validate Audience is On but Valid Audiences is wrong
  • "Invalid destination" → ACS URL in assertion doesn't match configured Assertion Consumer Service URL
  • "Assertion expired" → Clock skew between IdP and Power Pages, or assertion validity too short
  • "Signature validation failed" → Certificate mismatch, expired cert, or wrong signing algorithm
  • "Missing NameID" → IdP not sending NameID claim, check claim rules in IdP
Project Documentation
  • Screenshot IdP SAML configuration - SP Entity ID, ACS URL, NameID format, claim rules
  • Save metadata URL and entityID - Essential for troubleshooting
  • Document certificate expiry process - Who renews, how often, notification process
  • Create SAML error runbook - Document errors encountered during testing with solutions
  • Provide user documentation - Explain SAML login flow, what happens if cert expires, support contact

🌐 Social Identity Providers (Quick Setup for B2C)

What Are Social Identity Providers?

Power Pages includes 5 pre-configured OAuth 2.0 providers for consumer authentication scenarios. These are simplified, wizard-based alternatives to the generic OAuth/OIDC setup covered in the previous section.

🔵
Microsoft
🔴
Google
📘
Facebook
🔗
LinkedIn
🐦
Twitter/X

Key Limitation: Power Pages doesn't support other OAuth providers beyond these five. For custom providers (like Auth0, Okta, or your own OAuth server), use the generic OpenID Connect configuration instead.

Supported Social Providers

Provider Setup Location Best Use Case Special Requirements
Microsoft Azure Portal B2C portals where users have Microsoft accounts (Outlook, Xbox, etc.) Azure AD app registration
Google Google Console Public-facing customer portals, wide consumer reach Enable Google People API
Facebook Facebook Developers Consumer apps, social integration Facebook app registration, privacy policy URL
LinkedIn LinkedIn Developers Professional networks, B2B customer portals LinkedIn app registration
Twitter/X X Developer Platform Social media integration, public community portals Twitter developer account

Configuration Parameters

Social identity providers require only 2-3 configuration values in Power Pages:

Parameter Description Where to Find
Client IDREQUIRED Unique identifier for your OAuth application from the identity provider App registration in provider console
Client SecretREQUIRED Secret key for authenticating your application to the identity provider App registration secrets section
Reply URLAUTO-GENERATED Power Pages callback URL where users return after authentication. Copy from Power Pages wizard, paste into provider console. Format: https://yoursite.powerappsportals.com/signin-{provider}
Examples:
/signin-google
/signin-facebook
/signin-microsoft

Optional Additional Settings

All social providers share these optional advanced settings (expand "Additional settings" in Power Pages wizard):

Setting Description
Scope Comma-separated list of permissions to request from the provider (e.g., email,profile)
Registration enabled When Off, denies registration if no contact exists. When On, allows new user registration (if site setting permits).
Contact mapping with email When On, associates unique contact record with matching email address. Not applicable for Microsoft provider multitenant endpoints.
Authentication type OWIN authentication middleware type (advanced - usually leave default)
Backchannel timeout Timeout in milliseconds for back-channel communications (advanced)

Social OAuth vs. Generic OAuth/OIDC

Aspect Social OAuth (Wizard) Generic OAuth/OIDC (Manual)
Supported Providers Only 5: Microsoft, Google, Facebook, LinkedIn, Twitter/X Any OIDC-compliant provider (Entra External ID, Auth0, Okta, custom)
Setup Method 🟢 Wizard with 2 fields (Client ID + Secret) 🟡 Manual with 9+ parameters
Configuration Authority/Metadata auto-configured by Power Pages You must provide Authority, Metadata Address, Scopes, Response Type, etc.
Primary Use Case B2C consumer portals, public websites B2B enterprise portals, advanced features
Token Format JWT (JSON) - same as generic OAuth JWT (JSON)
Mobile Support ✅ Excellent ✅ Excellent
API Integration ✅ Easy (Access Tokens) ✅ Easy (Access Tokens)
Complexity 🟢 Very Low 🟡 Low-Medium
Advanced Features ⚠️ Limited (no custom scopes, claims mapping limited) ✅ Full control (custom scopes, claims, token validation)

When to Use Social Identity Providers?

✅ Use Social OAuth When:

  • ✅ Building B2C customer portals or public-facing websites
  • ✅ Users already have Google, Facebook, Microsoft, LinkedIn, or Twitter/X accounts
  • ✅ You want fastest possible setup (under 10 minutes)
  • ✅ Don't need custom claims mapping or advanced token validation
  • ✅ Target audience is consumers, not enterprise employees

❌ Use Generic OAuth/OIDC Instead When:

  • ❌ Building enterprise B2B portals with corporate IdP (Entra External ID, Okta, Auth0)
  • ❌ Need custom claims mapping from IdP to Dataverse contact fields
  • ❌ Require advanced token validation (audience, issuer, custom validators)
  • ❌ Want control over scopes, response types, response modes
  • ❌ Using a provider not in the list of 5 (e.g., Ping Identity, Keycloak, custom OAuth server)

🎯 Social IdP Best Practices

Security & Privacy Considerations

  • ✅ Privacy Policy Required: Most social providers (Facebook, Google) require you to display a privacy policy URL during app registration
  • ✅ Minimal Scope Requests: Only request permissions you actually need (e.g., email if you need email, don't ask for profile unnecessarily)
  • ✅ GDPR Compliance: If targeting EU users, ensure social login complies with GDPR (user consent, data processing agreements)
  • ✅ Terms of Service: Review each provider's terms of service - some have restrictions on commercial use
  • ⚠️ Email Verification: Not all social providers guarantee verified emails. Facebook emails may not be verified. Google emails are verified.

Common Pitfalls with Social IdPs

  • ❌ Cross-provider SSO doesn't work: Users who log in with Google cannot log in with Microsoft to the same contact. Each social provider creates a separate identity.
  • ❌ Cannot mix social IdPs for SSO: If you configure both Google and Microsoft, they won't share sessions. User must pick one and stick with it.
  • ❌ Reply URL must match exactly: Including trailing slash, http vs https, subdomain. One character wrong = authentication fails.
  • ❌ Provider app approval delays: Some providers (Facebook, LinkedIn) require app review before going live, which can take days/weeks
  • ⚠️ Rate limiting: Social providers have API rate limits. High-traffic portals may hit limits during login spikes.

Multi-Provider Setup Strategy

Many portals offer multiple social login options. Here's the recommended approach:

  • 1. Choose 2-3 providers max: Don't overwhelm users with 5 buttons. Pick the most relevant for your audience (e.g., Google + Microsoft for professional users)
  • 2. Monitor usage: Track which social providers users actually use. Remove unused providers to simplify login page.
  • 3. Set up redundancy: Configure 2+ providers so if one has an outage (e.g., Google down), users can still log in with Facebook
  • 4. Keep it simple: One IdP for all apps is ideal. Don't mix Google + Microsoft + Okta across different apps - creates user confusion.

🔒 Session Security Deep Dive

The Big Question: "If the session cookie is the key to entry, can I just copy it to another machine and be authenticated?"

The Short Answer

Technically: Yes, you could copy the cookie and gain access.
In practice: Power Pages implements security measures to make this harder (but not impossible).

⚠️ Why This Matters

Session hijacking (cookie theft) is a real security concern. If an attacker gets your session cookie, they can impersonate you until the cookie expires.

The Risk: An attacker with your cookie doesn't need your password. They're already "in."

🛡️ Security Measures in Power Pages Session Cookies

Power Pages session cookies have these built-in protections:

Security Flag What It Does Attack It Prevents
HttpOnly JavaScript cannot read the cookie XSS attacks trying to steal cookies
Secure Cookie only sent over HTTPS Network interception on unencrypted connections
SameSite Cookie won't be sent from other domains CSRF (Cross-Site Request Forgery) attacks
Short Expiry Cookie expires after 8 hours (typical) Limits window for abuse if stolen

❌ What Power Pages DOESN'T Check (by default)

  • ❌ IP address - Cookie works from any IP address
  • ❌ User agent - Cookie works in any browser
  • ❌ Device fingerprint - No device binding
  • ❌ Geolocation - No location validation

This means: If an attacker gets your cookie, they can use it from a different machine/location until it expires.

🎭 Real-World Attack Scenarios

Scenario 1: Malware on User's Machine

Attack:

  1. 1. Attacker installs malware on user's computer
  2. 2. Malware reads browser cookies from disk
  3. 3. Malware sends cookies to attacker's server
  4. 4. Attacker uses cookie on their machine → Full access until expiry

Defense:

  • ✅ Antivirus software (user responsibility)
  • ✅ Keep OS and browser updated
  • ✅ Short session timeout (admin control)
  • ✅ User education (don't use shared devices)

Scenario 2: Network Sniffing (Mitigated by HTTPS)

Attack:

  1. 1. User on public WiFi without HTTPS
  2. 2. Attacker captures network traffic
  3. 3. Attacker extracts session cookie
  4. 4. Attacker replays cookie → Session hijacked

Defense:

  • ✅ Power Pages forces HTTPS (built-in protection)
  • ✅ Secure flag on cookies (prevents transmission over HTTP)
  • ⚠️ Still vulnerable if user ignores certificate warnings

Scenario 3: XSS Attack (Mitigated by HttpOnly)

Attack:

  1. 1. Attacker finds vulnerability in custom portal script
  2. 2. Attacker injects JavaScript: document.cookie
  3. 3. Script tries to read session cookie
  4. 4. HttpOnly flag blocks access ✅

Defense:

  • ✅ HttpOnly flag (built-in to Power Pages)
  • ✅ Content Security Policy (configure in portal)
  • ✅ Input validation on all forms
  • ✅ Regular security audits of custom code

🔧 How to Minimize Risk

For Power Pages Admins:

1. Short session timeouts (e.g., 2-4 hours instead of 8)

  • • Configured at Power Pages level
  • • Balance security vs. user convenience
  • • Limits damage window if cookie is stolen

2. Conditional Access Policies (Entra External ID, requires Premium license)

  • ✅ Restrict by IP range (e.g., corporate network only)
  • ✅ Block suspicious locations (e.g., countries where you don't operate)
  • ✅ Require compliant device
  • ⚠️ Configuration complexity varies by IdP

3. Monitor session activity

  • • Enable diagnostic logging in Power Pages
  • • Review Entra External ID sign-in logs regularly
  • • Look for unusual patterns (see monitoring section below)

4. Use Web Application Firewall (WAF)

  • • Azure Front Door or similar
  • • Can detect session hijacking patterns (e.g., same cookie from multiple IPs)
  • • Rate limiting to prevent brute force

5. Implement custom session validation

  • • Use Power Pages Web API or custom code
  • • Check for suspicious behavior (e.g., rapid page access)
  • • Trigger re-authentication if needed

For End Users:

⚠️ Important: As a portal user, you have NO control over session timeouts or security policies. Those are controlled by the Identity Provider admin and Power Pages admin.

What you CAN do to protect yourself:

  • 🚫 Never access sensitive portals on shared/public computers
  • 🚫 Don't stay logged in unnecessarily (log out when done)
  • ✅ Keep browser and OS updated (security patches)
  • ✅ Use antivirus software
  • ✅ Be cautious on public WiFi (use VPN if possible)
  • ✅ Clear browser cookies after using shared devices
  • ✅ Report suspicious login notifications immediately

If you need stronger security measures, contact your portal administrator.

🔍 Detecting Cookie Theft

Red Flags to Monitor:

Indicator What It Means Action
Same user, different IPs simultaneously Possible cookie theft Force logout, require re-authentication
Login from impossible locations Can't be in USA and China 5 mins apart Block session, alert user
Rapid requests from single session Automated attack or data scraping Rate limit, CAPTCHA, or block
User agent suddenly changes Cookie used in different browser Optional: Re-authenticate if high security

⚠️ Reality Check: What You Can Actually Monitor

Out-of-the-Box (No Additional Tools):

As Power Pages Admin:

  • ✅ Diagnostic logs (errors and failures only)
  • ❌ NO IP addresses, user agents, or session details
  • ❌ NO real-time monitoring capabilities

As Entra External ID Admin:

  • ✅ Sign-in logs (Azure Portal → Entra External ID → Monitoring → Sign-in logs)
  • ✅ Shows: IP, Location, Device, Browser, Success/Failure
  • ⚠️ Only captures LOGIN events, NOT ongoing session activity
  • ❌ Can't detect if same cookie is used from multiple IPs simultaneously

To Actually Detect the Red Flags Above, You Need:

Tool What It Does Cost
Azure Application Insights Track Power Pages requests, IPs, sessions Pay-per-use (~€2-5/GB ingested)
Azure Monitor + Log Analytics Correlate sign-in logs + Power Pages logs Pay-per-use (~€2.50/GB)
Microsoft Entra ID Protection Automatic risk detection (impossible travel, etc.) Premium P2 (~€8-10/user/month)
SIEM (e.g., Microsoft Sentinel) Advanced threat detection, custom rules Enterprise pricing (~€200+/month)

Bottom Line: The red flags table shows what you should monitor, but detecting them requires additional tools and budget. For most Power Pages deployments, this level of monitoring is only justified for high-security scenarios (financial data, healthcare, admin portals).

📊 What You Can Do Without Extra Tools

Practical approach for most projects:

  1. 1. Enable Entra External ID sign-in logs (free, always on)
    • • Review weekly for unusual login patterns
    • • Look for logins from unexpected countries
    • • Check for failed login attempts (brute force?)
  2. 2. Enable Power Pages diagnostic logging (free)
    • • Captures authentication errors
    • • Helps debug login issues
    • • Won't catch session hijacking, but shows system health
  3. 3. Implement Conditional Access (Entra External ID, requires Premium license)
    • • Restrict logins by IP range (e.g., corporate network only)
    • • Block high-risk countries
    • • Require device compliance
    • Prevention is better (and cheaper) than detection!
  4. 4. Short session timeouts (Power Pages setting, free)
    • • Reduce from 8 hours to 2-4 hours
    • • Limits damage window if cookie is stolen
    • • No additional tools needed
  5. 5. User education (free!)
    • • Tell users to log out on shared devices
    • • Warn about phishing attempts
    • • Provide clear "report suspicious activity" contact

📊 Session Security Comparison

Security Measure Power Pages Default Additional Protection Available
HTTPS enforcement ✅ Always on -
HttpOnly cookies ✅ Enabled -
Secure flag ✅ Enabled -
SameSite attribute ✅ Enabled -
IP binding ❌ Not default ⚠️ Via Conditional Access (Entra External ID)
Device binding ❌ Not available ⚠️ Via Conditional Access (Entra External ID)
Geolocation checks ❌ Not default ✅ Via Conditional Access (Entra External ID)
Additional authentication factors ❌ Not built-in ⚠️ Configure at IdP level (complex setup)

💡 The Bottom Line

Session cookies ARE vulnerable to theft - this is true for ALL web applications, not just Power Pages.

The defense is layered security:

  1. 1. Base protections (HTTPS, HttpOnly, Secure flag) → Built-in ✅
  2. 2. Short session timeouts → Limits damage window ✅
  3. 3. Conditional Access → Blocks suspicious activity ⚠️ (Premium license)
  4. 4. Monitoring & alerts → Detect and respond quickly ⚠️ (Extra tools needed)
  5. 5. User education → Prevent careless mistakes ✅ (Free!)

No single measure is perfect - but together, they make stealing sessions significantly harder and less valuable.

🎯 Should You Worry?

Low Risk Scenarios:

  • • Public marketing portal (no sensitive data)
  • • Internal portal on corporate network only
  • • Short sessions (2-4 hours) with Conditional Access enabled

High Risk Scenarios:

  • • Portal with financial transactions
  • • Access to personal health information
  • • Administrative functions (user management, settings)
  • • Publicly accessible with sensitive data

Recommendation: For high-risk scenarios, implement all available protections (short sessions + Conditional Access + monitoring + WAF). Consider additional security measures like step-up authentication for critical operations.

Conclusion

Authentication in Power Pages is basically three friends passing notes: You, your portal, and Microsoft (or Google, etc.).

🎯 Remember These 5 Things

  1. Use OAuth/OpenID Connect - It's the modern way. SAML is for legacy systems.
  2. It's all about trust - Your portal trusts Microsoft's digital signature, like a passport stamp.
  3. Security happens in steps - Multiple redirects = more secure (not a bug!)
  4. Tokens have expiry dates - Usually 1 hour. That's normal.
  5. Check your URLs match exactly - Most auth failures = wrong redirect URL

Power Pages people unite! Don't let those sidekick products defeat us 😜

Now you understand how login works. When something breaks, you'll know where to look.

Further Reading

TR

About the Author

Tino Rabe is a Microsoft MVP for Power Pages and helps organizations build secure, scalable customer portals. Follow him on LinkedIn for more Power Pages insights.

Did this guide help you? Share it with your team! Have questions? Drop a comment below or reach out on LinkedIn.

Need Help with Power Pages Authentication?

Book a free consultation and get expert guidance on implementing secure authentication for your Power Pages site

Schedule Free Consultation