I have a User flow in Azure AD B2C and want to configure a generic OAuth identity provider.
The MS documentation seems to suggest that it is possible, but there are no specific examples and appears that I can only add an Open ID Connect provider.
Does anyone know how I can use a generic 3rd party oauth identity provider in Azure AD B2C?
Refer this.
The key is:
<TechnicalProfile Id="Facebook-OAUTH">
<DisplayName>Facebook</DisplayName>
<Protocol Name="OAuth2" />
Open ID Connect is a wrapper around Oauth, so you can use that.
Set up sign-up and sign-in with generic OpenID Connect using Azure Active Directory B2C
Related
I am trying to configure my Azure AD B2C account to use IDP-Initiated SAML login. I have been able to configure the custom policies to enable Open ID and SAML logins using SP-Initiated logins but am unable to get IDP-Initiated to work.
For reference, I am trying to use Salesforce to login.
I see in Azures documentation: "We don't currently support scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce. IdP-initiated flow is supported only for local account authentication in Azure AD B2C."
If I am unable to set up IDP-Initiated using Azure AD-B2C is there another service under Azure that would allow me to set this up?
I have tried to edit the custom policies in my Azure AD B2C to include IDPInitiatedProfile to true
<Metadata> ... <!-- Added for IDP Initated SSO From the B2C Side --> <Item Key="IdpInitiatedProfileEnabled">true</Item> </Metadata>
And configured the policy following the template provided here: https://samltestsp.azurewebsites.net/B2CPolicy
I was able to get the test on the provided website to work but it will not work with my salesforce account.
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
Trying to setup a custom policy in my Azure AD B2C tenant, I need to communicate to an external IDP using SAML IDP initiated, so client can navigate to their dashboard and click to "my app" that goes against my B2C tenant, and authenticates the user and gets send to my application using OpenIdConnect, it is required to me to get it integrated using SAML between my client's dahsboard and my B2C tenant
I used this article as based to create my custom policy using SAML. As SP initiated (through my app in azure ad b2c) works, but now I need to get it working using IDP initiated.
Also found this idp-initiated sample, but here I got 2 problems:
This is setting up "my app" as SAML application (protocol in my RelyingParty, not what I want)
If I change that one to use "OpenIdConnect" which is desired in my RelyingParty I get the following error in my logs:
Policy '< myPolicyName >' in tenant '< myTenant >' does not have a
supported relying party protocol"
So wondering in this point, is this something that's supported? I also got this unsupported-saml-modalities from the documentation and the last bullet point says:
Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.
So, not really sure if what I'm trying to accomplish is something valid, any help?
It’s not possible, an Idp initiated flow cannot respond to an OIDC relying party, only a SAML relying party.
Secondly, as the doc states, the IdP must be B2C, and will not work for an external IdP federated to B2C.
I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.
When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.
What are my options?
Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.
The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.
I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:
<UserJourneys>
<UserJourney Id="SignUpOrSignInPolicyA">
...
</UserJourney>
<UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
...
<RelyingParty>
So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.
I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.