We are trying to use Azure B2C for a use case where we did not find much information. The idea is that several partners, each with their corresponding IdPs, will embed in their web and mobile applications our platform.
This platform can be consumed via API or via WebView, depending on the maturity of our partners' applications. Partners want to federate their IdPs with our Azure B2C with OIDC.
The problem comes with the user experience that we are proposing. The user is facing a double login with the same credentials. One time when entering the partner's app and a second time when entering the tab of our functionality inside the partner's app (our B2C redirecting by OIDC to the partner's IdP).
Is it possible to do this flow without the user re-entering his credentials inside each partner's app to access our services?
Related
Scenario 1
An existing monolithic .net core MVC application with an existing Account Management workflow for sign-in/up. The application makes use of Microsoft.AspNetCore.Http's IHttpContextAccessor to handle the user in the http session.
Scenario 2
An existing application with a NextJs front end and a .Net core Backend. The login is server side and uses a JwtBearer Authentication scheme.
Requirement
Add authentication via third parties Identity Providers, like Google, Microsoft, Facebook, ecc. The addition of the Identity Providers should have the minimum impact on the previously existing workflow.
Main area of confusion
Performing some tests with Azure AD B2C, I noticed registering the User Flow for Sign up and Sign and clicking on Testing the Workflow that the generated page always asks for email and password. I wonder if it is possible to use it only for the external providers without using the email and password flow from AD.
Question
Does Azure AD B2C fits the need for Scenario 1 and Scenario 2? If so how should it be configured?
Is it possible to configure msal to work with two different apps simultaneously? Or perhaps is it possible to have two instances running in parallel on the same Single Page Application SPA?
Specifically, I have a business app that is accessed by both B2C users and Corporate users. The business prefers that the Corporate users be able to log into the app without the need to create an additional B2C account (and using a federated B2C sign-in type). This would mean that I need an app in the B2C tenant and the Corporate tenant, and my single page application app would be protected by either app for any given user.
In other words, if you follow this link:
https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial#chapter-1-sign-in-a-user-to-your-application
it gives instructions for how to sign in with Azure AD, and how to sign in with Azure AD B2C. But how would I go about doing both at the same time?
I'm using Azure OpenID Connect with Active Directory B2C multi-tenant application for login purpose on my set of applications. Most of the users login using Google social provider of B2C, but for now I'd like to keep the option to use AD open. I use a single B2C application to login to multiple sub-parts of my applications, using different domains, different programming platforms etc - I just allow many return URLs in the B2C app.
What I'd like to achieve is a true single sign-on: possibility to login once and then to access all the sub-applications that use this B2C app.
Currently, when I login to one sub-app and then try to access some other one, I need to choose my Google account (when I'm logged in using Google connector). I'd like to remove the necessity of any human interaction in the process of accessing other parts of the app, when I'm already signed in (of course automatic redirects are fine). Is this possible with B2C/OpenID Connect?
I am using Azure B2C to connect my own openid connect server using OpenID onnect (Preview) provider. I configured every thing, system is working fine.
But one thing is when a new user logs in through my own openid connect server, Azure AD B2C creates this user in Azure AD which is connected to Azure B2C.
My intention is that, My client application has to call Azure B2C. Azure B2C should display list of identity providers. one among those providers is my own openid connect server. Then user can input his credential in my own openid connect server and verified and return back to Azure B2C with id_token. after this step Azure AD B2C is asking me to create this user in Azure AD. why this is happening ?
I cannot provide my user details to any intermediate systems. Please help me on this.
The same scenario is happening for gmail users also. but only first time login or when we change some signin policy attributes.
Based on my experience, even for externally authenticated users (social sign-in) AAD B2C always creates an object in its local store (which is actually an Azure AD directory). I can't speak authoritatively, but a couple of reasons for this would be 1) the ability to generate and maintain an immutable ID for a user that is somewhat independent of the social IdP, and 2) the ability to collect and store additional attributes which are not available from the social IdP.
I believe you can make the process invisible to your users - they don't necessarily have to be prompted to enter additional attributes or to create a user - but it will still happen in the background.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info