Social Login with Microsoft (MS Live)

search cancel

Social Login with Microsoft (MS Live)

book

Article ID: 434487

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

SiteMinder federation integration with Microsoft Live for social login was working fine for years, but it is now failing with the following error:

{"error":"invalid_grant","error_description":"The provided value for the 'code' parameter is not valid. The code has expired.","correlation_id":"ce0d9c80-b16c-43c3-bd2d-e145917b94ca"}

Environment

Any supported SiteMinder version

Cause

The legacy Microsoft Live API (login.live.com) and Live Connect (apis.live.net) reached End-of-Life (EOL) on November 1, 2018. While these services continued to function in some environments for a time, they eventually ceased processing requests, which resulted in "400 Bad Request" errors and failed user information retrievals.

Resolution

The federation partnership must be updated to use the modern Microsoft OAuth integration endpoints. The legacy URLs in the Partnership configuration need to be updated with the information below.

Field	Updated Value
Authorization Service URL	`https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
Access Token Service URL	`https://login.microsoftonline.com/common/oauth2/v2.0/token`
User Information Services	`https://graph.microsoft.com/v1.0/me`
UserInfo Endpoint Request Method	BearerToken as Get Request
AzHeader Scope	`openid email user.read`

Additional Information

The initial federation partnership configuration was designed by following this Microsoft Windows Live IDP guide.

Feedback

thumb_up Yes

thumb_down No