I'm looking into implementing the add password change policy for my SPA. It all seems straight-forward, but I would like to trigger the password change popup from my React code which is using the msal-browser library. In the mentioned tutorial, in the Run the policy section, there is no indication on how to trigger this from the application. Any ideas?
You can configure the authentication in react SPA by using Azure AD B2C policy as mentioned here.
In this sample, you can configure the password change policy in similar way as profile edit.
Related
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
Microsoft Recently added the new "sign-up or sign-in" policy to Azure AD B2C.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-policies/#create-a-sign-up-or-sign-in-policy
By default when we direct a user to that page it shows the sign-in workflow.
Sometimes I may want to take a user directly to the sign-up workflow instead.
I don't want to configure two policies (i.e. upload the same banners, templates, backgrounds, redirects, special messages etc) when the content is going to be exactly the same for both.
Is it possible to pass a parameter (or some otherworldly trickery) so that it shows the "sign-up" workflow instead?
Currently there isn't a query parameter or policy setting that will take the user straight to the local account sign-up pages in a SignUporSignIn policy. Today you would need a separate sign-up policy to direct them directly to sign up.
You can use hello.js for Azure B2C with some customization in initialization, which is build for external authentication of google facebook etc. You can also look into the sample from microsoft which works !! Azure B2C