please I am currently trying to use Azure AD b2c custom policy and I have two different questions;
Is it possible to configure B2c Custom policy to have a user option
to reset phone number and/or totp from the user profile. Preferable
like a checkbox to reset the values?.
I am aware that that Azure AD B2C doesn't control the federated
identity provider session. A social or enterprise identity provider
manages its own session i.e, session behavior is determined by the
federated identity provider.
how do I keep my application session to AD B2C alive as long as possible, to avoid redirecting users to the federated identity
provider before it is absolutely necessary.
Please help, thanks.
Related
I want to use Azure for authentication to multiple web applications using the organisation's identity provider.
Organisation has already developed identity provider, but I want to use Azure to authenticate all applications through Organisation's identity provider.
I can see Azure AD B2C option, but I don't want to use any social identities or local Azure identities.
Scenario want to work as below.
User enter https://webapp1.com/home
it should redirect to Organisation IDP
Once it's Authenticated by Organisation's IDP ( with username/password pop up for sign in), it should redirect to https://webapp1.com/home page
If I use Azure B2C , local sign in text boxes will be there as unused.
Is there any better options available in Azure to resolve this issue?
I tried Azure AD B2C, but it left with unused username/pass text boxes. I just want to use single identity provider from Organization.
If your identity provider is Oauth compliant, you can register it as an identity provider in B2C by clicking the New OpenID Connect Provider button on the Identity Providers blade, and then consuming that in your signup/signin flow.
Oath requires a redirect, so if you have a local sign in form, it will not be used. The Identity Provider provides the login screen.
I'm integrating the SSO flow with azure AD B2C using custom policies and SAML. When decoding the JWT token we are getting all the roles that user had previously also.I only need is the current role of the user. Can anyone have solution to achieve this?
I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.
I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.