Is it possible to configure msal to work with two different apps simultaneously? Or perhaps is it possible to have two instances running in parallel on the same Single Page Application SPA?
Specifically, I have a business app that is accessed by both B2C users and Corporate users. The business prefers that the Corporate users be able to log into the app without the need to create an additional B2C account (and using a federated B2C sign-in type). This would mean that I need an app in the B2C tenant and the Corporate tenant, and my single page application app would be protected by either app for any given user.
In other words, if you follow this link:
https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial#chapter-1-sign-in-a-user-to-your-application
it gives instructions for how to sign in with Azure AD, and how to sign in with Azure AD B2C. But how would I go about doing both at the same time?
Related
We are trying to use Azure B2C for a use case where we did not find much information. The idea is that several partners, each with their corresponding IdPs, will embed in their web and mobile applications our platform.
This platform can be consumed via API or via WebView, depending on the maturity of our partners' applications. Partners want to federate their IdPs with our Azure B2C with OIDC.
The problem comes with the user experience that we are proposing. The user is facing a double login with the same credentials. One time when entering the partner's app and a second time when entering the tab of our functionality inside the partner's app (our B2C redirecting by OIDC to the partner's IdP).
Is it possible to do this flow without the user re-entering his credentials inside each partner's app to access our services?
We want to build a .NET and Angular application which our internal users and invited external users can have access. We initially tried to build that by connecting to our internal azure-ad but that would mean that external users are part of our internal azure ad. One approach was to use Azure B2C AD but then not sure of how to get internal users in that AD without duplication. Eventually, we will have roles for users and wanted to check if we can avoid duplication of maintenance in multiple azure AD.
Hopefully, we are not doing something new i.e. creating an application that can be used by internal employees with their office 365 credentials and allowing invited external users to access the same application. Roles govern what part of the functionality is accessible within the application.
What are the possible approaches / recommended approach?
Use AAD B2C and add AAD as an identity provider to B2C, see here.
I have 4 Node.JS Application frontend angular with different domains, I have implemented Azure AD B2C
I need to implement SSO or Single Sign On in my applications
How can I set it up, what is the recommended way.
I checked https://github.com/AzureAD/passport-azure-ad
but there is no documentation on setting up SSO for Node.JS applications or sample codes.
Go to Azure AD B2C->User flows(policies)->find your sign in policy->properties->you will find the single sign-on configuration.
The default setting is tenant which allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one.
Reference:
Configure session behavior in Azure Active Directory B2C
I am using Custom Policies on Azure B2C.
When I want to run the Custom Policy I can choose the application which I want to use with the policy. I saw that I'm not only able to use my applications from Azure B2C, I can use the applications from the App Registration section.
What is the differences. I've been able to signup and sign in users with both types of applications.
Thanks in advance!
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration in Azure Active directory.Also, the apps in the Application Registration should not be visible in the B2C .
In your issue , I assume that you should have add two apps in the two places.
What is the differences.
Application in Azure AD B2C :To build an application that accepts consumer sign-up and sign-in, you first need to register the application with an Azure Active Directory B2C tenant.
Application Registration in Azure AD: This creates an Application ID for the application, and enables it to receive tokens. In order to get a client ID and secret from Azure, you have to register the app and provide some basic information about it, including what resources your app wants to access, and what permissions it needs.
Depending on your scenario, you could register an application in both portals, and use the right one depending on the request you need to make.
The apps that are registered through each different location (Azure Active AD versus Azure AD B2C) are given credentials that are valid for any policy, including custom policies you have uploaded.
The end result is the same: you have an application that is registered with and can access the policy regardless of how that app/policy was created.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info