Azure B2C prevent email address change after Home Realm Discovery - azure-ad-b2c

I have managed to get the modern Home Realm Discovery (HRD) policy working with our directory and several federated IdPs. However, there is a loophole that I would like to be able to close. If a non-federated domain email is used, the user is then forwarded on to Local Account login with username (i.e., email) and password, but the email value can still be changed, including to one using a federated domain. Also, the Forgot Password dialog does not seem to pre-populate the email address so it can, again, be changed to any email address. Finally, even after verifying the email, there is the "Change Email" option.
I would like to be able to either
Lock in the entered email after HRD "failure" until the user
completes or cancels the login,
Detect any changes to an email address in a known federated customer domain and send them back into the federated flow or...
Detect such changes and just error out.
Any ideas how to make this work? I did a little experimenting with the readOnlyEmail examples I saw but either something complained that it did not exist (like ParseDomain) or it was still rendered as a mutable field rather than read-only.
-GBS

• Yes, you can prevent the email id to change even after verification of email in ‘home realm discovery’ step by hiding the email from change or making it grey after entering it for verification email step. You can do this by adding the CSS entry below to your HRD enabled HTML page by customizing your HTML page template.
‘ <style type="text/css">
.changeClaims
{
visibility: hidden;
}
</style> ‘
To customize your HRD enabled sign in and sign-up HTML page with the above entry, please refer to the documentation link below for detailed information. From the below link, download the default HTML page and modify it with the above entry in appropriate location, then save it in your repository from where you access the HTML files and modify the custom policy accordingly, i.e., with the ‘api.signin or signup’ content definition building blocks and save it.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
By following the steps in the above link, you will be able to customize your HRD enabled sign in and sign-up page with also greying out the change email option. Also, to complete the prerequisites for it and referring the options regarding changing the email option, please refer the below link: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#hide-the-change-email-button

Related

GitLab account blocked while changing the username. How do I unblock it?

I wanted to change my username on GitLab so I followed the following procedure:
Navigate to your profile's Settings > Account.
Enter a new username under Change username.
Click Update username.
After clicking on update nothing seem to change so I refreshed the page and I receive the following error:
Your account has been blocked. Please contact your GitLab administrator if you think this is an error.
How do I unblock my account?
PS: I opened a GitLab SaaS account
This thread mentions
Check <external_url>/admin/application_settings/general > expand Sign-up Restrictions, and verify if the checkbox for Send confirmation email on sign-up is checked or unchecked?
Having that setting enabled will send a confirmation email, and for that user to be “unlocked”, it requires the confirmation link in the confirmation email is clicked.
If you’re creating a user with Ansible and the confirmation email isn’t received and the link it contains clicked, it would cause the “user is blocked” error you’re seeing.
If you did not check the box for this requirement, I suspect the default setting might’ve changed in 12.9.x. Do you notice if this checkbox was checked before upgrading?
Unchecking the box, or manually “confirming” the email of your Ansible-created user in the GitLab Admin UI should remove the block on this user.
In your case, since you are changing the user manually, see if:
the IP is blocked (try from another network/device)
if you have an IDE opened with a GitLab repository accessed through HTTPS: the IDE might need to refresh the Git repository state periodically, and would be using the old credentials (old username).
The OP goutam thakur confirms in the comments:
My account was unblocked after I submitted a request through the form "Gitlab.com (SaaS) user accounts and login issues".

Azure B2C with pre-invited users

I maintain an app where we use Azure AD B2C to authenticate.
The flow is this:
Users are invited by email
They click a link to sign up using a B2C signin/signup flow
They fill in their info, including email address
They are redirected to our app
Now, what bothers me is that the users have to enter in their email address, even though we already know it. We just invited them using their email address.
It has been suggested that we could send people to a password reset page instead. But that doesn't seem ideal either, since they then have to verify their email address, even though we just verified it. After all, they started the flow by getting an email.
In many cases the users mis-type their email address when they are asked for it. That creates a lot of new issues, because we now have two different email addresses for the same users.
Similar question already answered # How to pass email suggestion to Azure AD B2C SignUp page. Answer https://stackoverflow.com/a/56503578/341185 describes how to send invitations.
Alternate approach using Javascript in custom policies
You can use custom policies along with Javascript to show email of the user in email address text box.
Approach:
While sending invitation link, send an extra query parameter like &email_hint=azureb2ccustomer#b2clogin.com and follow below steps to show this email_hint value in email address text box
Steps:
Enabling Javascript in custom policies https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-samples
Change page contract to allow custom policies to run javascript https://learn.microsoft.com/en-us/azure/active-directory-b2c/page-contract
Update SignupOrSignin user journey to directly take to SignUp page https://stackoverflow.com/a/56503494/341185
Update your blob HTML page to read query parameters and put the value inside email textbox
var urlParams = new URLSearchParams(window.location.search);
document.getElementById("email").value = urlParams.get('email_hint');
Click here for example request
Add your comments if you still require any other kind of approach than described above to fit into your business model.
If you want to use custom policies, you can use the flow for password reset that has:
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=JWT
This puts the email address in a JWT so the user does not have to enter it.

Custom Azure B2C Password Reset Flow via Username

I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link

Demo Account Branding: Override DocuSign_EmailResources

I uploaded a file DocuSign_EmailResources.xml to override the Master file and I do not my the changes. The documentation says that 'The ability to use the resource file option is not
normally enabled for an account; contact your Account Manager or DocuSign Support for more
information about enabling this option in your account'.
Before we update our production, we would like test on our demo account using SOAP API. I just want to add a link to the Email text. When I try this through the API, the link is disabled in the email as it is being formatted by the server side program.
Is there any setting that I am missing.
Thanks in advance.
If you can see (and access) the Resources tab when Editing a Brand Profile in the DocuSign web console, then this should mean that "the ability to use the resource file..." is indeed already enabled for your account.
The Email Resource file is quite lengthy, and is divided into various sections -- each section being the email template that's used for a specific type of email that DocuSign sends. So, for example, if you wanted to modify the contents of the "signing invitation" email that DocuSign sends to a recipient when it's their turn to sign, you'd modify contents within the Envelope Activation section of the Email Resource File. Changes applied to other sections of the resource file would not impact/affect the signing invitation email. If you haven't already done so, I'd suggest that you review the Email Resource File Guide (http://www.docusign.com/sites/default/files/DocuSign%20System%20Default%20Email%20Formats.pdf) to ensure that you've modified the correct section of the resource file for the type of email that you intend to effect.
Also, keep in mind that each Email Resource File applies to a specific (single) Brand. So, if you have multiple Brands within your account, make sure that you're modifying the Email Resource File for the Brand that's used for the Envelopes where you expect/want customized email content.

Drupal 6 Registration Password Field Missing

I have taken over support for a Drupal site, and need to change the registration process so that users enter their password when registering, rather than receiving an email with a system generated password. This should be as simple as un-checking the "Require e-mail verification when a visitor creates an account" check box, however, the password field does not appear. Unfortunately, the person who set up the site originally is not available.
I've checked the various modules we have to see if one of them is the cause, I've checked our theme/stylesheet, and confirmed that we did not change the user.module at all. I've tried installing LoginTobaggan.
I do know that Drupal knows that the box is not checked, as it sends out the email for no email verification required.
Any ideas on what could prevent the password field from appearing or other places I could check?
example.com/admin/user/settings
uncheck:
Require e-mail verification when a visitor creates an account

Resources