Q: Azure AD B2C: SAML IDP initiated to OpenIdConnect, is it possible? - azure-ad-b2c

Trying to setup a custom policy in my Azure AD B2C tenant, I need to communicate to an external IDP using SAML IDP initiated, so client can navigate to their dashboard and click to "my app" that goes against my B2C tenant, and authenticates the user and gets send to my application using OpenIdConnect, it is required to me to get it integrated using SAML between my client's dahsboard and my B2C tenant
I used this article as based to create my custom policy using SAML. As SP initiated (through my app in azure ad b2c) works, but now I need to get it working using IDP initiated.
Also found this idp-initiated sample, but here I got 2 problems:
This is setting up "my app" as SAML application (protocol in my RelyingParty, not what I want)
If I change that one to use "OpenIdConnect" which is desired in my RelyingParty I get the following error in my logs:
Policy '< myPolicyName >' in tenant '< myTenant >' does not have a
supported relying party protocol"
So wondering in this point, is this something that's supported? I also got this unsupported-saml-modalities from the documentation and the last bullet point says:
Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.
So, not really sure if what I'm trying to accomplish is something valid, any help?

It’s not possible, an Idp initiated flow cannot respond to an OIDC relying party, only a SAML relying party.
Secondly, as the doc states, the IdP must be B2C, and will not work for an external IdP federated to B2C.

Related

Single Logout Implementation using ITfoxtec Library

We are trying to implement Single Logout functionality in Azure AD B2c using Itfoxtec Saml library.
We have tried multiple configuration options but the SingleLogout method is not working as expected.
We need a reference article or post on how to configure manifest file when using ItFoxtec library.
We have already referred below articles
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
It sounds like you have achieved to do logout in Azure AD B2C initiated from your application implementing the ITfoxtec Identity SAML 2.0 component.
Single logout is the case where someone other than your application initiated logout or you want to do logout in an external IdP. For this to work you need to configure session management correctly in Azure AD B2C, maybe that is the missing part?
Also the single logout endpoint is separate in the refired sample. The endpoint is exposed in the metadata.
Please check the below points :
You can redirect the user to the end_session_endpoint.Try if it logs out completely with GET request to
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{name-of-b2c-login-userflow}/oauth2/v2.0/logout?post_logout_redirect={static-webapp-url}/.auth/logout.
a) The user may still be signed in to other applications that use
Microsoft accounts for authentication. To enable those applications to
sign the user out simultaneously, the Microsoft identity platform
sends an HTTP GET request to the registered LogoutUrl of all the
applications that the user is currently signed in to.See Microsoft
identity platform and OpenID Connect protocol - Microsoft identity
platform | Microsoft Docs
b) If you wish to support single sign-out in your application, you must implement such a LogoutUrl in your application's code. You can set the LogoutUrl from the app registration portal.or edit from the manifest like below.
Also try by giving front channel logout url which has to result in single signout.
Please check if you should call the Logout method like here > sample code. The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application.
Please check if you are using ITfoxtec Identity SAML2 component without a NameID, which may not be able to do logout or single logout. NameID is optional in login but not in logout and single logout.
References:
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
itfoxtec identity saml2 - How to single logout from Azure AD B2C
with ITFoxTech SAML 2 library? - Stack Overflow
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs

IDP initiated SSO fails with OKTA as an IDP in Azure

We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
Registered company "example.com" in OKTA.
Created a custom SAML app in OKTA to export the OKTA IDP metadata
Configured the app SSO settings as above reference link
Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
Logged in with the existing user in OKTA
After successful authentication, user is redirected to dashboard page
Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
i think direct federation doesn't support idp initiated login, you need to login using tenant context.
have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.

Actual impact of deprecation of login.microsoftonline.com for B2C tenants

I am a bit confused by the wording on the announcement for the deprecation of login.microsoftonline.com for "B2C tenants".
New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com.
My main concern is: How will this affect the client credentials grant? As far as I can see, this is only supported via login.microsoftonline.com.
Although client credential flow is not currently supported by Azure AD B2C, you can set up client credential flow using Azure AD. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants. The client credential flow is supported using the Azure AD functionality of the Azure AD B2C tenant.
Will the "Azure AD functionality" continue to work with login.microsoftonline.com indefinitely? If so, where can I draw the line of what this actually means?
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
My current understanding would be that "everything that uses B2C policies must use b2clogin.com" - everything else must continue to use login.microsoftonline.com.
Without policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => 404
With policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
(my tenant is not actually named mytesttenant)
I think you will still be able to use client credentials flow in Azure AD B2C tenant.
The deprecation of login.microsoftonline.com just affects the Azure AD B2C functionality.
However, the client credentials flow is an Azure AD functionality, it should not be affected, the B2C tenant just shares the functionality with the normal Azure AD tenant.
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
I suppose we can but we should not do this, as the UI has been changed, MS should not want the new users(create B2C tenant after the announcement) of Azure B2C to use login.microsoftonline.com, the implementation has not been changed, it will give other users a transition period.
I got an official answer back via Github.
Use of b2clogin.com is enforced for b2c functionality only. Client Credentials flow is not supported for B2C Applications. Since the App registered via App Registration under Azure AD B2C, can also be used for standard Azure AD as well which supports Client Credentials flow. For standard AAD functionality, use of b2clogin.com is not applicable and requires login.microsoftonline.com only.
For more details, refer to: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#daemonsserver-side-applications

How to capture user identityId from original IdP using OpenID Connect (preview)

I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.

Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider

AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.

Resources