I have a requirement to build a web app that connects to a customer's API (authenticated as the user using the web app). This same web app will need to connect to our own internal API which is authenticated with B2C.
The problem is that each customer has their own authentication server (always Okta) and so I couldn't add an IDP for each customer in a custom policy because I'd have to add thousands and continue to add them.
Is there a way to get IDP configuration programmatically so that I can look up the correct Okta instance?
Any other suggestions are welcome.
I had limited chance to set up the above scenario and test in lab.
Add the app in Okta and set the below parameters, instead of adding app in AAD.
Login redirect URI: https://{yourb2ctenantname}.b2clogin.com/{yourb2ctenantname}.onmicrosoft.com/oauth2/authresp
Change the following settings in the B2C Claims provider
Okta OpenId Connect Settings in B2C Policy:
ProviderName: https://{yourOktaTenant}/oauth2/default
METADATA: https://{yourOktaTenant}/oauth2/default/.well-known/openid-configuration
Reference Link: Use below link for custom policies in B2C:
https://github.com/mleziva/azure-b2c-okta-custom-policy
Related
I would like to build a web site that will allow any customer to login using their Azure AD. How can I do that? I have used previously authentication with Azure AD for my organization but how can I enable that for any customer? Sort of allowing customers to login with Facebook or Google, instead, when they click login they will be redirect to Azure AD.
If you want to use a personal account or social account to log in to the Azure AD application, you only need to modify the manifest configuration of the existing application, and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
We have referred below links as reference for setup:
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp
https://developer.okta.com/docs/guides/custom-url-domain/overview/
What we did so far?
Registered company "example.com" in okta. By default okta configures it as "example.okta.com"
Registered custom domain "id.example.com". Our okta instance is accessible using this domain
Created an enterprise SAML app (which also exist in Azure AD) in OKTA
Exported OKTA IDP metadata
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
Error Messages:
For domain as "id.example.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
For domain as "example.okta.com"
Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
You need to go through the Azure AD federation compatibility list to learn about how to federate an Azure AD tenant with a 3rd party IDP like Okta and others.
#Kalyan Krishna
Hi,
Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
IDP initiated SSO fails with OKTA as an IDP in Azure
We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.
Fixed for all users - Web App URL - https//foo.bar.com
Entity ID - https//foo.bar.com/auth/callback?id=<unique-app-id>
Unique for each app
Callback URL - https//foo.bar.com/auth/callback?id=<unique-app-id>
Please suggest for Azure AD specific
We can achieve this by following approaches:
Configuring the application in different tenants in Azure AD.
Service provider can send ACS url to IDP, so that it can be redirected to that URL after login. Note: IDP initiated would use default ACS url in configuration in Azure AD.
I'm pretty new with Azure and all its services and I want to use Azure B2C to provide authentication to local users and FB providers. However, I noticed that I cant use the workflow I have defined in my mobile app because Azure has a redirect URL to load a browser and show the web page defined by them or custom according to the policies defined for sign in.
I've been googling for a while but doesn't seem there's an option to have a webAPI that receives data from the mobile app and authenticate against the Azure B2C.
Does anyone know if there's a way to not use the redirect URL and use the app login workflow?
Thanks!
Currently, Azure AD B2C doesn't have support for this.
However, work to support for the Resource Owner Password Credentials flow in Azure AD B2C is in-progress.
This new feature will enable the mobile app to collect a user credential and POST it to the B2C tenant for validation.