I'd like to start with a Google Service Account credential (either opaque access token or ID JWT) and end with an Azure B2C credential. Is something like this possible with Azure? I'm not seeing any APIs for doing it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
Note: this is conceptually similar (but different in terms of target identity) from another question I asked earlier:
Impersonate Azure Service Principal from a Google Service Account
EDIT: Our use case for this is exchanging Google Service Account credentials that represent an untrusted client (e.g. a user in the system), for a user token in Azure B2C. Unfortunately, this eliminates the client credentials flow, as mentioned in the comments.
Azure AD B2C only supports interactive federation flows with other identity providers.
Google service accounts are non interactive authentications. The only way AAD B2C can pass these credentials to Google would be through its REST API interface.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
The credentials would need to be hard coded into the policy or through AAD B2C “policy keys”.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy
From what I can see, AAD B2C REST API interface doesn’t support an authentication method that Google needs. So I would conclude it’s not possible.
Related
I have setup a azure ad b2c service to sign up/ sign in my users and have used third party identity providers google and microsoft. After successful logging in, I get idp_access_token
back from b2c service. Can I use this token to directly connect to google and microsoft api
as azure docs mention, this token is issued by identity providers and returned as claims by b2c service. But the idp_access_token doesn't seem to be a valid access token and no claims are included in it.
To get a valid "idp_access_token", please check if you have to set "v2.0" in the metaurl of the OpenId Identity Provider Configuration:
https://xxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration
We maynot be able to edit metadeta url of already created one .So try create new one with "v2.0" in metaurl.
When a user signs with identity provider, like google or Facebook, your app gets the identity provider's access token passed in Azure AD B2C token.This idp_access_token can be used call the identity provider’s API, such as the Facebook Graph API i.e;Usually the embedded IdP access token is used to call the services that the IdP hosts. For details see Pass an access token through a user flow to your application in Azure Active Directory B2C.
Reference: techcommunity.microsoft.com blog
Note :
Azure AD B2C supports passing the access token of OAuth 2.0 identity providers, which include Facebook and Google. For all other identity providers, the claim is returned blank.
Even if idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As usually the
embedded IdP access token is used to call the services that the IdP
hosts. But Microsoft Graph data is hosted in Azure AD and not in
Microsoft Account side.
You can check this microsoft document to Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C or with a Google account using Azure Active Directory B2C
References:
Using Azure B2C login to access Microsoft Graph is the social login is a Microsoft account
We're considering to use Azure AD B2B OR B2C for SSO service. We will not be using Azure B2B built-in SSO login page OR B2C custom-policies based login page. We've our own custom login JSP page that we plan to use MSAL Graph APIs for calling Azure AD authentication services.
Questions:
Is this MSAL APIs applicable to B2C only, or can we use this with B2B tenant application as well? All the documents and guidance that I can take as an example uses B2C tenant app only.
If I am using MSAL OAuth 2.0 authentication services for my custom login page, I assume we don't need to rely on SAML SSO configuration. Or would it be possible to use mix of these services (i.e. SAML for basic login authentication, MSAL OAuth2.0 calls for self service account registration)?
I appreciate if anyone can shed some light on this.
Thanks.
B2B and B2C serve two different purposes. B2B is meant for you to use to invite external federated users to your directory using their own credentials whereby you can assign them access directly to your resources. On the other hand, B2C is a separate directory where you allow users to register, optionally using their own credentials from federated providers as well. If your aim is to SSO to a local AzureAD protected resource, then clearly you're going to have to tell that resource to use the B2C directory as an IdP as well. Hence, B2B is much simpler for SSO, but a big differentiator is scale. If you plan to invite a massive number of users, then this it is not a good idea to user B2B.
MSAL uses standard protocols such as OAuth 2.0 and OIDC to authenticate directly to any supported IdP, including Azure AD or Azure AD B2C. Being a guest user or not has no bearing on that process. It is also important to mention that B2C does require either a User Flow or a Custom Policy to function.
So to answer your questions to the best of my ability:
1- MSAL libraries work similarly for both Azure AD and Azure AD B2C. There may be some configuration differences in case of B2C to supply additional information regarding the policy name, etc. But they work all the same.
2- MSAL itself does not support SAML authentication. For that you'll need a library which can perform SAML authentication. While Azure AD supports SAML natively, Azure AD B2C requires you to setup a custom policy to configure SAML authentication.
I am using Azure B2C to connect my own openid connect server using OpenID onnect (Preview) provider. I configured every thing, system is working fine.
But one thing is when a new user logs in through my own openid connect server, Azure AD B2C creates this user in Azure AD which is connected to Azure B2C.
My intention is that, My client application has to call Azure B2C. Azure B2C should display list of identity providers. one among those providers is my own openid connect server. Then user can input his credential in my own openid connect server and verified and return back to Azure B2C with id_token. after this step Azure AD B2C is asking me to create this user in Azure AD. why this is happening ?
I cannot provide my user details to any intermediate systems. Please help me on this.
The same scenario is happening for gmail users also. but only first time login or when we change some signin policy attributes.
Based on my experience, even for externally authenticated users (social sign-in) AAD B2C always creates an object in its local store (which is actually an Azure AD directory). I can't speak authoritatively, but a couple of reasons for this would be 1) the ability to generate and maintain an immutable ID for a user that is somewhat independent of the social IdP, and 2) the ability to collect and store additional attributes which are not available from the social IdP.
I believe you can make the process invisible to your users - they don't necessarily have to be prompted to enter additional attributes or to create a user - but it will still happen in the background.
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.