We're in the process of implementing AD B2C as our sso and will have to go through multiple versions of user flows during testing. They will be used for different environments and some in parallel in testing so we won't be able simply change existing versions. We'd like to establish a base flow for our sign in and our multiple sign ups as starting points that we could then clone when we create a new version. Is there any way to clone an existing User Flow either directly or by download/upload to a new flow? I know we could do something similar with custom policies but we've made the decision to stick with user flows.
Thanks!
User flows cannot be cloned as user flows, but you can download their source code and clone them as custom policies. User flows are custom policies anyways. You can download their source code from the Azure Portal as shown in the following picture.
You can opt to append the base policies code to the user flow code using the following API call. Please keep in mind this API is not publicly supported and only provided AS IS:
GET https://main.b2cadmin.ext.azure.com/api/trustframework/GetAsXml?sendAsAttachment=true&tenantId=<TENANT NAME>.onmicrosoft.com&policyId=<USER FLOW ID>&getBasePolicies=true
You will need an access token for scope https://management.core.windows.net/user_impersonation
Let me know if you need additional help!
Related
I understand how to brand my login form but how to customize the workflow that Azure provides?
Currently the Sign-up form looks like this:
Which is really unlogical. The text boxes under 'Verificatiecode verzenden' (Send verification code) are only useful after the code has received and filled in.
How to customize this part to create a better working workflow:
Add email address -> Send code -> Fill in code and verify --> Fill in additional user details.
Edit:
As recommended by Brad I dived into Identity Experience Framework. An 'intimidating' framework is a big understatement ;(
I watched these videos: https://www.youtube.com/playlist?list=PL4svy-vB4AaxRunWQkxOe8h3zP9jAzS5Z and followed the steps mentioned here:
https://github.com/azure-ad-b2c/azureadb2ccommunity.io/wiki/LocalAndSocialAccount-Sign-In-and-Sign-Up-policy
https://github.com/azure-ad-b2c/samples/tree/master/policies/split-email-verification-and-signup
I'm just at the point that I only want to mimic what I currently have using the 'normal' user flows:
Log-in using Email
Log-in using Facebook
Log-in using Google
The login screen looks the same, I have the email and password buttons and the Facebook and Google buttons, but when I log in with Google I get an error about grant-type not set.
And this is all without trying the split.xml.
I'm so lost in understanding AAD B2C. It should make live easier for developers but I find it very complicated, hard to modify and hard to get the profile data I need and to keep the data in sync.
In order to achieve this with User Flows, you must use the Custom User Interface features, and Javascript to control how and when those fields are displayed.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-user-flow#enable-javascript
Optionally, you can conduct a similar flow using the Identity Experience Framework (Custom Policies) with either Javascript or where you use two different Self Asserted profiles to move from screen to screen.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
Taking the leap from User Flows to the Identity Experience Framework can be intimidating, but would give you the most control in your user experience.
I want login system in my capsule so that i can provide user more recommendation based on their profile of interest. So far, neither I am able to find any document related to login facility nor any example. It would be appreciated if will get any document or example.
Bixby supports logging in through OAuth 2.0, and this is the best way to guide your users through a login flow.
You will need to provide your own service to handle this OAuth flow, as Bixby Developer Center does not offer any web hosting services.
https://bixbydevelopers.com/dev/docs/dev-guide/developers/actions.using-oauth
Also is there a possibility that user can user can use app as a guest
user if no login credentials?
When you define your endpoints, you can define Actions that require OAuth and other Actions that do not require OAuth and the latter ones will define the "guest user" flow that is capable within your capsule prior to logging in.
If you don't need all the features of OAuth, and only need to store a few things between sessions with the same user, you may use the $vivContext.bixbyUserId value as an anonymous, but unique identifier for a user, and store their preferences using that id as a key, in a 3rd party database that you maintain.
I've done this with the "My Brain" capsule, to store quick memories/notes for users, without any requirement that they login or establish an account. I've created a tutorial version of the My Brain capsule that outlines the steps you need to use AWS for this purpose. Please feel free to clone or fork it and customize it for your needs.
In my app I want to have some feed where different users can add activities
How can I do this? Are there any settings of user rights?
It would help if you could elaborate on what you are trying to build (e.g. what kind of user ACL you are trying to offload to Stream) and whether you are using an SDK or the REST API directly. Multiple users can add activities to the same feed.
Regarding user rights, permissions they would be embedded in the JWT token when you're doing server-side authentication, as exposed here.
I am attempting to our company's Jenkins from the Jenkins user database + matrix based security to using Google Login Plugin and Role based strategy plugin to give us better control of our user accounts.
With this new set up I am wondering how I could go about creating a designated user which is used by scripts which trigger Jenkins jobs remotely. I would like to do this without having to add a user to our company's GSuite account as this costs a few $ per month. Before the switch to Google Login I could just create a user manually in the Jenkins user database and take the API token from there but since switching to Google Login there is no option to add a user (which makes sense given than the users are managed by Google now). At the moment it seems like I have to choose from:
Use the old approach and forget about authenticating through google. This is not a great result as we want to minimize the number of user accounts we have to set up for new people joining the company to overhead of onboarding.
Use Google Login Plugin and create a new dedicated "Jenkins" user in GSuite for these scripting / requirements. This costs money.
Use an existing users API Token to avoid the cost of a new Google User in our GSuite account. This seems like bad practice which I'll regret at some point.
Is there a workaround which doesn't require a designated GSuite user or repurposing an existing Google users credentials just for this purpose?
I did a similar research a while ago and it seems like there is no way to do so right now.
However, I'm using SAML plugin with GSuite instead of Google Login Plugin, but from Jenkins security perspective I assume they work in the same way.
When you're using such plugin, Jenkins creates a securityRealm in its config. In my case it is:
<securityRealm class="org.jenkinsci.plugins.saml.SamlSecurityRealm" plugin="saml#1.0.7">
Therefore, to have SAML and Jenkins security matrix work simultaneously, you have to have several security realms.
Here is a ticket, which describes this issue, but it's still open
Regards!
I was also looking at how to trigger builds remotely when using the Google Login Plugin.
I ended up using the "Build Token Root Plugin" which solved this problem, without any need to create a dedicated user for this.
This plugin offers an alternate URI pattern which is not subject to the usual overall or job read permissions. Just issue an Http GET or POST to buildByToken/build?job=NAME&token=SECRET. This URI is accessible to anonymous users regardless of security setup, so you only need the right token.
https://wiki.jenkins.io/display/JENKINS/Build+Token+Root+Plugin
I'm working with Azure B2C from a MVC (4.6) WebApp. I've followed this guide to make it work and it's all good:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet
However, regarding the Edit Profile Policy, I need custom values coming from another system for a specific User profile property (i.e: Favorite Categories, coming from a custom Categories table). I don't want to add all the possible categories to the User profile property settings in the Azure portal, cos values can change frequently. So, couple of questions:
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
The only approach that seems will work is to call the Graph API from code, following this article (but it requires to register another App from PowerShell, and also, execute the action with an App Token, instead of the current logged user):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any help would be very appreciate it.
Thanks a lot.
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
No. All the users use the policy you config on the portal. We can create multiple profile edit policy and choose the right policy based on you business with custom code.
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
No. It is impossible. As you mentioned, if you want to update the users profile programatically, the Azure AD Graph is recommend.
you not able use JS, but you able customize with css;
(enable cors to ms login domain on your web app etc)
see msdm docs all are desribed;
you able add custom properties in AD B2C to user sign up; so to edit profile should be possible too;
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization