azure/login@v2 github action with federated identity (ADB2C)

Stan Spotts 5 Reputation points
2024-09-19T22:40:35.07+00:00

My github workflow has the following step:

- name: Az CLI login for connecting to ADB2C instance  
  uses: azure/login@v2  
  with:  
    client-id: ${{ secrets.AZURE_CLIENT_ID }}  
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}  
    audience: api://AzureADTokenExchange  
    allow-no-subscriptions: true  
    enable-AzPSSession: true

I get the error:
AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:{orgname}/{repo}:environment:staging'.

But in my app registration that has the client id and tenant id used above, the federated credential is configured to use a branch entity type and the branch "staging" is specified. The Subject identifier is "repo:{orgname}/{repo}:ref:refs/heads/staging"

I can't figure out why this step is insisting that this should be an environment entity rather than a branch entity. It's obviously obtaining the info from the app registration because it knows the configured organization and repo, and even the environment (which has the same name as the branch).

What's the trick to make this work?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
0 comments No comments
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.