I'm currently having an unusual issue with azure b2c user flows.
The scenario of the issue:
I have many users and sometimes (not all of them) they get stuck in a loop when they try to log in. They have to perform successfully log-in in 2 or 3 times in a row just to finally get access to the application.
So far I couldn't find any solution or any reason for this behavior. Is this a common trouble using azure b2c or it could be something related to the network?
Any advice or clue would be great!
First you need to confirm where the 'loop' is happening. It's either happening:
Within Azure AD B2C policy
Between App and Azure AD B2C
Determine this by using Fiddler or logs (application logs and Azure AD B2C logs)
If Within Azure AD B2C policy, there's something misconfigured within your policy
If Between App and Azure AD B2C, either your application is not parsing the token correctly - this could be MSAL not setup correctly, it's thinking the token isn't valid or it's expired, or even missing some claim. To fix this, look at the application logs first to see if it states why it's having to automatically make a new request.
Network related is always a factor to consider - especially if you have a WAF. Again, always check your logs before trying to change anything. Additionally, always test with multiple browsers (if this is a web app) since browsers can be bad actors when testing - especially with session management.
Related
I have been following the Microsoft tutorial/guide for setting up SSO between two Azure bots which is found here: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso?view=azure-bot-service-4.0&tabs=csharp%2Ceml. I am doing all of the bot testing in the latest version of the Bot Framework Emulator with ngrok.
I have managed to get this working correctly via Azure AD (AAD), however as part of a proof-of-concept, I want to get this working via Azure B2C. Unfortunately, there doesn't seem to be much documentation around about how to set something like this up with B2C, and so far I have not been able to get it working. I have left everything set up the same as was asked in that tutorial/demo where possible (see section below for highlighted differences).
Currently, I am able to log into each bot individually via the above tutorial/demo, but when the SSO is attempted into the skill (child) bot, (via watching the traffic in Fiddler) I see that an error of "consent required" is returned. This tells me there must be some sort of relationship/configuration breakdown between the two bots which is preventing the SSO from succeeded. As mentioned, once this fails, I then get the option in the demo to manually log into the skill bot, which does succeed.
The main differences in terms of configuration capability in AAD vs B2C seem to be:
When configuring the Azure AD app registration for the skill (child) bot, you do not have the capability to set an Authorized client application. Also on this screen, you do not have the option to set the consent for both Admins and users, therefore the consent is set to Admins only
When setting up the API permissions, the delegated permissions available for the Microsoft Graph API are much more limited (only offering openid and profile whereas in the tutorial above more permissions has been asked for)
Thus far I have tried the following to get it to work:
In the app registration for the skill bot, in the API permissions section, I added an API which points to the app registration for my main (root) bot
Manually modified the Manifest for both app registrations changing oauth2Permissions.type from Admin to User to try and relax the scope added in the Expose an API screen (as changing this does change the 'who can consent' column from 'Admins Only' to 'Admins and Users'
Different tenant combinations for the app registration (note that both app registrations are current set up as multi-tenant)
Other things of note:
For the OAuth connection strings, these are set up the same way as the tutorial/demo above, including the Token Exchange URL just pointing to the skill bot scope
I am working under the assumption here that if Azure AD works, then B2C should equally be able to work without any code changes to the demo project, except for different values in the appsettings.json files for each of the two bots.
I am also assuming that B2C SSO in this way is actually a supported feature - there doesn't seem to be a definitive answer either way.
Can someone please provide some suggestions for why this may not be working and what may be required in order to get it working? If I haven't provided sufficient information in any area, let me know and I would be more than happy to provide it.
Many thanks!
I am using the Azure AD B2C authentication for Angular SPA. For some reason the login takes around 10 secs to load, when I check the browser dev tool there are 2 request which take most of the time. Is there a way to optimize this load time.
Open Id configuration endpoint - 3sec
Authorize endpoint - 6sec
Dev tools screen
Please note that event if Azure AD B2C is considered as global service in the Azure cloud, users' data is stored in the specific region that you select during Azure AD B2C tenant creation.
Here is presented how it works - directory store is hosted under the region you specified for the Azure AD B2C tenant:
Additional latency is only encountered when the user has performed an authentication in a different region from which they had signed-up in. This is because, calls will be made across regions to reach the Directory Store where their profile lives to complete their authentication.
To solve the problem with multiple regions and reduce the time, you can check Azure Active Directory B2C global identity framework.
Above information is included in it. Hope this clarifies a bit.
The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>
I am trying to have two applications(app1 and app2) in Azure
AD B2C, which is configured for Web api and another application that is configured for mobile app.
I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.
How can I reuse the access token got from one application to be used in another application.
We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.
However, Microsoft does not support it.
We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.
For more information: Azure AD B2C: Requesting access tokens
You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".
In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).
We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.
However, I am certain what we are trying to accomplish is not supported in B2C AD.
Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.
I have added a Web Application in the Microsoft Application Registration Portal. I can view this app in old azure portal. When I try to configure this app as multi tenant and set the Sign-on URL and the App ID URI values, an error pops up saying one of the values is invalid and the save fails. I can connect to this application using OAUTH and get the required refresh and access tokens. Using these tokens in the graph API I can get mails,contacts and calendar events from my office 365 account. But this happens only for a single tenant. I need to able to do this for multiple tenants and so I want to set this app as multi-tenant. If I create the application in Azure AD itself then I am able to set all the values but I cannot connect to this app using OAUTH as the authentication fails with error message saying
error=unauthorized_client&error_description=AADSTS70001%3a+Application+%2791470123-7e7e-4139-9922-ac95b0a6b383%27+is+not+supported+for+this+API+version.
.I went through a few links like here , here and here but until now I haven't been able to find a solution. I am re-posting this as suggested here. Can anyone suggest what I must do to get through this ?
All applications created through the App Registration Portal have the Multi-Tenant flag set to True by default.
The issues you are facing here are likely due to the fact that the App Registration Portal created our new V2 Applications, while our old portals use our V1 Applications. As a result, switching between portals and trying to make configuration changes, you will likely run into issues where our app model has changed, and certain properties exist in one place, and not another.
Finally it is important to note that we now have a V2 endpoint as well, which lines up with our V2 applications. You need to make sure you are using the right kind of application for the right endpoint.
Let me know if this helps!