The docs state:
This self-service password reset flow applies to local accounts in Azure Active Directory B2C (Azure AD B2C)
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
How can I have a password reset functionality if my users are located in a legacy user store. (I'm using a REST Technical Profile to connect those)
If there is no built-in functionality for this kind of accounts, can I at least add a link to the sign-in form that will send the user to our legacy password reset page?
To clarify: by legacy/classic user store I mean a service that you can all over REST to validate credentials. Not another OIDC identity provider.
You could have B2C present its password reset pages, and right at the end, instead of writing the password to the B2C directory, call a REST API to write it to your legacy IdP/user database.
The only way B2C can hand off and hand back from an external provider, is by using federation, eg SAML/OpenId connect. If you want to go down this path, have the user enter their email in B2C UI, and once you determine that it is a legacy account, redirect them to the IdP using OpenId/SAML.
To answer your comment.
Replace this in the "PasswordReset" user journey:
<OrchestrationStep Order="3" Type="ClaimsExchange">
<ClaimsExchanges>
<ClaimsExchange Id="NewCredentials" TechnicalProfileReferenceId="LocalAccountWritePasswordUsingObjectId" />
</ClaimsExchanges>
</OrchestrationStep>
with the call to your REST API.
Related
I have 2 separate user journeys for Sign-In and Sign-Up using just local accounts in my custom policies.
For the Sign-In flow I can add <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" /> to my sign-in page's technical profile to both persist a new session, or to skip the page if there is already a session.
However, for my Sign-Up flow, I want to persist new sessions, but I don't want to skip the sign-up screens if they already have a session. I want them to see all of the screens and restart. How can I accomplish this?
I have set up a custom b2c policy in order for users (specific clients of ours) in specific Azure AD tenants to log into a Portal without having to explicitely sign up first (they can log into the Portal via b2c using their whitelisted AD account).
I wanted to make this happen using basic userflows but as far as I know AD multi tenancy is only possible with custom policies but that's a seperate issue entirely.
What I want to do now is to take the user's attributes as they are set in their AD client (phone number, etc) and add those to the claimsbag in the sign up userjourney so that they will persist in the b2c tenant as well (and in turn map those again to the client contact in the Portal).
I have read up on enriching tokens a lot, as well as using custom attributes but so far I have not been able to find how to actually get the already existing data from the user's AD account and transfer that to the b2c account as it is created on sign up.
Maybe I need to use the Graph API to do this but I have no experience in using APIs to retrieve that data from a user (would need rights and consent as well of course) and more importantly, I don't know (yet) how I would implement/call an API in a userjourney.
If anyone can guide me in the right direction that would be very much appreciated!
If it turns out I can give specific white listed AD users (from different AD tenants) access to sign up to my b2c tenant and import data like (mobile) phone numbers from those users' AD accounts then that would of course be absolutely fantastic.
In terms of code: I am using the XML files (and thus also the user journey) from the local and social starter pack, removing the social login options from the Extensions file, adding only a multi tenant AD claimsprovider (as instructed by MS docs), and removing only some output claims in the self asserted social technical profile in order to hide the data that I am able to import and persist from the user during sign up (name, username, and alternate email (which is also the userprincipalname for some reason)).
As per this, you configure the optional claims that you want to pass from Azure AD.
Then as per this, you map these claims to the B2C equivalent.
e.g.
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
On the Azure AD side, you selected "family_name" and "given_name".
On the B2C side, the right-hand side of the mapping is the Azure AD name. The left-hand side is the B2C name.
So "family_name" maps to "surName" in B2C, and you can now use this claim in your user journey.
If I add Azure AD as an IDP to B2C using a built-in sign-up policy and sign-up with an existing Azure AD user (i.e. federation), the "placeholder" on B2C has a source of "Federated Azure Active Directory". The signed-up user has a UPN.
I can't seem to sign-in to B2C using a custom sign-in policy with that user name?
It says "Account does not exist. Please sign-up". I assume you can't mix and match built-in and custom?
I have to sign-up and sign-in using custom policies to get the sign-in to work.
In this case, the source of the "placeholder" is "Other".
The problem is that this signed-up user does not have a UPN.
Is there a way to get a UPN?
Or is this by design?
The reason is, the Issuer used in user flow is different to custom policy.
If you return the user via MS Graph (beta version), compare the Identities array of a user signed up via custom policy versus user flow (for AAD). The issuer will be different (login.microsoftonline.com vs sts.windows.net). The combination of Issuer and AAD objectId are used to create and locate the user.
Due to the mismatch, a user signed up via AAD federation with a user flow can’t sign in via custom policy, account won’t be found.
By analysing the Identities object on the users, you can take the value of the Issuer property on the account created with user flow, and insert it into your AAD Custom Policy Technical Profile for the claim called “IdentityProvider”.
Change this
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
To
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue=“ISSUER FROM USER FLOW USER” />
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-custom-policy#configure-azure-ad-as-an-identity-provider-1
I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.
When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.
What are my options?
Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.
The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.
I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:
<UserJourneys>
<UserJourney Id="SignUpOrSignInPolicyA">
...
</UserJourney>
<UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
...
<RelyingParty>
So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.
My application contains users from B2B and B2C directory. It is using Azure B2C Login which is created using custom policy for this purpose. Currently, it displays the B2B directory button in B2C Login screen. In my application we can identify if the user belongs to B2C or B2B directory.
My requirement is that if the user is identified as B2B user then it should redirect to the B2B login screen directly instead of B2C login and clicking on B2B Sign in button.
Is there any way by which I can accomplish this in my application?
You can assign a <Domain> to your B2B <ClaimsProvider>. Then, pass it in as a domain_hint which will take the user directly to that IDP.
This is how Facebook is set up in a starter pack and you could try it there and copy the required elements.
<ClaimsProvider>
<!-- The following Domain element allows this profile to be used if the request comes with domain_hint
query string parameter, e.g. domain_hint=facebook.com -->
<Domain>facebook.com</Domain>
...
</ClaimsProvider>