Single Logout Implementation using ITfoxtec Library - azure-ad-b2c

We are trying to implement Single Logout functionality in Azure AD B2c using Itfoxtec Saml library.
We have tried multiple configuration options but the SingleLogout method is not working as expected.
We need a reference article or post on how to configure manifest file when using ItFoxtec library.
We have already referred below articles
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy

It sounds like you have achieved to do logout in Azure AD B2C initiated from your application implementing the ITfoxtec Identity SAML 2.0 component.
Single logout is the case where someone other than your application initiated logout or you want to do logout in an external IdP. For this to work you need to configure session management correctly in Azure AD B2C, maybe that is the missing part?
Also the single logout endpoint is separate in the refired sample. The endpoint is exposed in the metadata.

Please check the below points :
You can redirect the user to the end_session_endpoint.Try if it logs out completely with GET request to
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{name-of-b2c-login-userflow}/oauth2/v2.0/logout?post_logout_redirect={static-webapp-url}/.auth/logout.
a) The user may still be signed in to other applications that use
Microsoft accounts for authentication. To enable those applications to
sign the user out simultaneously, the Microsoft identity platform
sends an HTTP GET request to the registered LogoutUrl of all the
applications that the user is currently signed in to.See Microsoft
identity platform and OpenID Connect protocol - Microsoft identity
platform | Microsoft Docs
b) If you wish to support single sign-out in your application, you must implement such a LogoutUrl in your application's code. You can set the LogoutUrl from the app registration portal.or edit from the manifest like below.
Also try by giving front channel logout url which has to result in single signout.
Please check if you should call the Logout method like here > sample code. The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application.
Please check if you are using ITfoxtec Identity SAML2 component without a NameID, which may not be able to do logout or single logout. NameID is optional in login but not in logout and single logout.
References:
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
itfoxtec identity saml2 - How to single logout from Azure AD B2C
with ITFoxTech SAML 2 library? - Stack Overflow
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs

Related

IDP initiated SSO fails with OKTA as an IDP in Azure

We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.

Single-Sign Out on Azure AD B2C

I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.

Using Header Variables for User Authentication

I am not sure if I am asking this question correctly or not, but if a user is authenticated through MS Azure, can Azure send the identity of the user to another system through HTTP header variable?
If so, what if the HTTP server on the other system is Apache based and not IIS. Is it still possible? If yes, how is it done?
Thanks
The closest option available in the Azure AD offerings is Header based SSO.
Header-based single sign-on works for applications that use HTTP
headers for authentication. This sign-on method uses a third-party
authentication service called PingAccess. A user only needs to
authenticate to Azure AD.
If you could expand your question a bit more, maybe we can help with a better answer
So the flow as I understand is like follows..
Salesforce redirects the user to Azure AD
Azure AD authenticates the user (uses SAML) and sends the SAML token back to salesForce
The user who signed in to SalesForce now redirects to a Siebel App?
The expectation is that the user would not have to authenticate again for Siebel?
The quick answer is that Azure AD will authenticate the user using header-based, SAML or OpenID only if the Siebel app is registered with Azure AD.
Without registration, Azure AD has no knowledge about this app (Siebel) and wont deal with it.
During registration, Siebel developers can choose if they want to use SAML, header based or OpenId for authentication and Azure AD will automatically Single sign-on an already signed in user (like in this example the user has already signed-in to SalesForce) to Siebel and wont prompt the user for credentials.

Does Azure Active Directory B2C work with Oauth or Open ID?

I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.

Azure AD B2C - Sign out a user from all sessions

I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content

Resources