We are using b2c for our website, we are trying to integrate with another vendor, they are willing to change their portal to allow our customer to single sign in from our website. Question, how would this flow work, would picture they have a button for enrolment, which allow customer to sign in with b2c credential then they store the credential mapping, then next time whenever customer already login they would automatically login their portal too?
You would federate your vendor with B2C using either SAML 2.0 or OpenID Connect.
Yes, on the vendor side there would be a "Login with B2C" button.
Once logged in, a cookie is set.
You get SSO as long as the cookie is valid.
Related
I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.
I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.
As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?
what is the recommended approach to generate a signin log in Azure AD with a passwordless solution
For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.
Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.
For more information in detail, please refer below links:
samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub
https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements
According to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-custom-policy. The profile edit flow will show the Sign-up or sign-in page, if there are no active session. If the session is active, then Azure AD B2C authorizes the user, and skips to the next step.
However, if I understand correctly, this 'session' would be in the form of a cookie right? If that's the case, what would happen with mobile apps?
Mobile app doesn't use cookies. After login in, they only have the id token, access token and refresher token. So if a user is logs in on an app, and then to do a profile edit flow, how would the app tell the browser that the user is already logged in?
If you are using the web view redirect flow, a cookie is set in the web view which then gives SSO for profile edit. You don’t need to configure anything in B2C to make it behave like this, it’s default.
I have an Angular front end application which is using Azure AD B2C custom policies(Home Realm Discovery) to authenticate the federated AAD user.
After I login to the application with federated Azure AD tenant user, close this tab(without logout) then open a new tab, access application and login, this user can be automatically sign in. This is the expected behavior as SSO feature.
But if I close the browser and reopen the browser, when try to login it asks me to input user name, seems the session is lost and the user need to re-authenticate.
I saw below documentation on Microsoft website:
The Keep me signed-in feature extends the session life time through
the use of a persistent cookie. The session remains active after the
user closes and reopens the browser. The session is revoked only when
a user signs out. The Keep me signed-in feature only applies to
sign-in with local accounts.
I was wondering is there a way to use the persistent cookie for Azure AD B2C(federated Azure AD tenant user)? How can I keep the session active after the user closes and reopens the browser?
Any help would be appreciated. Thanks.
According Microsoft doc.
You can enable Keep Me Signed In (KMSI) functionality for users of
your web and native applications that have local accounts in your
Azure Active Directory B2C (Azure AD B2C) directory. This feature
grants access to users returning to your application without prompting
them to reenter their username and password. This access is revoked
when a user signs out.
And Prerequisites.
An Azure AD B2C tenant that is configured to allow local account
sign-in. KMSI is unsupported for external identity provider accounts.
So,at present, there is no way to use the persistent cookie for Azure AD B2C(federated Azure AD tenant user).
For more information,please refer to this.
When using ADB2C for authentication in a Blazor Webassembly project, the authentication/logout seems to log out and shows a page with the request to close all browsers.
Anyway if the user just uses the back button in the browser she/he is still able to access the contents and is treated as still loged-on.
So, how to get a real logout?
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
To sign out the user, redirect the user to the end_session endpoint that is listed in the OpenID Connect metadata document(example) :
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2F
Reference: Azure Active Directory B2C: Web sign-in with OpenID Connect
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content