Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I am having trouble finding documentation that covers Single Log Out functionality in Azure AD B2C when it is initiated by an external IDP.
Consider that we have an application protected by Azure AD B2C, and the user is signed in to Azure AD B2C with a federated identity. Now, documentation is pretty clear about how to initiate the log out from the application / Azure B2C side and is also clear how B2C will logout from external identity providers at the same time.
However, consider when the user logs out on the external IDP side. We want the external IDP to initiate single log out to Azure AD B2C, and Azure AD B2C to initiate single log out with the app. So, essentially the opposite flow.
I know Azure AD B2C has a logout URL (considering EnforceIdTokenHintOnLogout is not enabled), I could theoretically configure the relying party configuration on the external IDP with B2C's log out URL. i.e. https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout
Would this trigger the logout of B2C as expected? Am I approaching this in the right way? Is there any documentation covering the implementation of this?
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 days ago.
Improve this question
I created a new ASP.NET Core MVC 6.0 web application >> and i define it to use Azure AD for authentication, as follow:-
then i were asked to create owned application, so i created one named "ad" as follow:-
and inside my application's appsetting i got these settings:-
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
so seems visual studio did all the work for us. but when i accessed the "ad" application inside Azure >> i got 2 warnings, as follow:-
so what are those warnings trying to say? and how we can solve these warnings and to use more up to date approach? as we are planning to build a long-life asp.net core application.
Thanks
Please read the warnings, their explanation is pretty straight forward. And they both contain links to additional information.
A short summary:
Don't use ADAL (and Azure AD Graph), use MSAL (and Microsoft Graph).
Make sure you're a verified publisher if you want end users to grant consent on newly registered multi-tenant apps.
Both of these warnings have nothing to do with the app registration itself, but with (1.) the authentication framework you're using to build an application and (2.) the way you publish multi-tenant apps.
You can find additional info in the links in the warnings.
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I'm following this tutorial to set up Azure B2C authentication for an Angular app and a .NET backend. I'm configuring the flows using policy files and I'm configuring an API connector for token enrichment as well.
I can see the custom claims included in the id_token jwt that is passed as the result of authentication when i run the flow using the portal.
But the access token that the backend application receives from the Angular frontend does not contain the custom claims.
Basically, the id_token has the claims and the access token does not.
What could be the reason for this? Could this be an issue in the policy files or the way I've configured MSAL library.
This a (mostly) theoretical question from a new B2C user.
If all of the claims I send to the RP are available from an OIDC ClaimsProvider, I seem to be able to create a "pass through" custom policy that doesn't actually require an Azure AD user to exist - token is just created from claims.
Are there any ways in which this will break B2C processing? I haven’t found any during limited testing. Does it pose any long-term headaches for B2C support?
Well, at the very least it is unexpected. And that means you will be on a path where you are mostly on your own.
AFAIK (which is certainly not everything) the benefits you get from B2C, self-service for example, you will not get without having a set of registered users in your B2C tenant. And with that, my question back would be: why not authenticate to that OIDC directly ?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I would like to synchronise Azure AD users with my custom home grown user management solution using SOAP API's. My custom home grown user management has SOAP API's for all the user management operations. Any suggestions or pointers for synchronising AD users to my custom home grown user management solution using REST API's is useful.
thanks Lokesh
There is an open standard I can think of, called SCIM.
This is taken from the microsoft docs that describes using SCIM with Azure AD
As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure AD. This article describes how to build a SCIM endpoint and integrate with the Azure AD provisioning service. The SCIM specification provides a common user schema for provisioning. When used in conjunction with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.
(source)
Basically you have to implement some well defined endpoints and Azure AD will take care of the syncing.
I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.