About the sample "https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation".
Someone who has already used it, can you comment on how you handled the authentication logs? I noticed in the B2C Logs both the user who is "Impersonated" and the user who is "Impersonator", I did not find any records that indicate that there was an "impersonation" process.
The Token generated in this process is for the "Impersonator" user, and has information about him, is it possible to bring information about the "Impersonated" user?
There will be nothing official in the logs generated by AAD B2C for this impersonation, and AAD B2C does not know the context of your AAD B2C policy. It can only understand that a token is issued for a particular user, not a custom process that allowed it.
What you can do is use App Insights to inject your own custom events to create logs.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/analytics-with-application-insights?pivots=b2c-custom-policy
Related
I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.
I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.
As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?
what is the recommended approach to generate a signin log in Azure AD with a passwordless solution
For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.
Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.
For more information in detail, please refer below links:
samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub
https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements
We have a scenario where a logged-in user (SFA, authentication has been done by Azure policies) needs to do some high-value transactions.
To allow this, we need to throw an additional authentication challenge. (MFA)
If the user access was successful we need to enrich the token somehow to read in on the client-side.
Tried to use scopes for this scenario but as they set per application couldn't make it happen, any thoughts on how it can be implemented in Azure b2c?
Thanks
The usual approach is for the application to look at the "acr" claim. This claim tells the app which B2C Auth policy the user has last arrived with. Therefore, in your app implement this logic:
User clicks high risk item
App checks current token "acr" claim
If acr != "B2C_1_MFA", then redirect the user to authenticate via a sign in/up policy that has MFA enabled
You need to create a sign in/up policy with MFA enabled and the above logic to get this to work. The App only needs to know about the policy name to know if the authentication challenges have been satisfied.
If the user has already logged in when this B2C policy is executed, the built in Single Sign On will skip the user having to enter their credentials again, and instead will just need to complete the MFA step.
Can I access the B2C error logs with the standard B2C User flows (NOT a custom policy)?
My root problem is that using a default Azure AD B2C User flow, the facebook login doesn't work. To troubleshoot it I need to see the error from B2C.
The final error is
https://my-web-client-url.azurewebsites.net/#error=server_error&error_description=AADB2C%3a+An+exception+has+occurred.%0d%0aCorrelation+ID%3a+1b85d65d-3697-4212-ad7d-ea5fb361783d%0d%0aTimestamp%3a+2019-02-05+16%3a02%3a51Z%0d%0a
But the documentation for seeing the Correlation ID logs is for custom policies, not a default User Flow.
Details:
The only MS documentation on accessing the logs is for custom policies (here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom ). However, I'm not using a custom user flow.
prior to the error I see eight B2C<-->Facebook request/response pairs that return 302, so everything seems to be working up to that point.
Using the Dashboard, the Azure AD B2C audit logs simply says 'B2C received a bad request'. Not very helpful.
My facebook app settings has 'Valid OAuth Redirect URIs' set to "https://my-tenant.b2clogin.com/my-tenant.onmicrosoft.com/oauth2/authresp , as per the AAD B2C documentation.
Appreciate any help, thanks.
As my comment above says, I had to use custom policies to see the logs, and even then the message was "scrubbed".
Turns out the real answer was to change my authentication tenant from my-tenant.b2clogin.com to my-tenant.auth0.com.
I ditched Azure AD B2C entirely, went to Auth0.com. It's working very well and profile pictures are part of the defaults.
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content
We have an application that supports seamless login with our Azure AD tenant account via OpenID Connect implicit flow. If user is authorized to access the app providing Azure AD issued evidence - access will be granted automatically, otherwise we show regular application login screen.
Every time when user authentication is required we redirect the user to the Azure AD login page (https://login.microsoftonline.com/xyz) specifying prompt=none.
Respecting the ODIC specification such flag should have the following effect.
The Authorization Server MUST NOT display any authentication or
consent user interface pages. An error is returned if an End-User is
not already authenticated or the Client does not have pre-configured
consent for the requested Claims or does not fulfill other conditions
for processing the request. The error code will typically be
login_required, interaction_required. This can be used as a method to
check for existing authentication and/or consent.
It generally works as expected, however, there is a case where Azure AD login page will show an error screen to the End User and it happens when User logged into another Azure AD tenant.
User account '...' from identity provider
'https://sts.windows.net/.../' does
not exist in tenant '...' and cannot access the
application '...' in that tenant. The
account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory
user account.
The questions are:
Does not it violate the ODIC specification?
How to properly handle such cases in seamless for users fashion? (app is not in charge of what is going on after redirect to Azure AD).
Though I also agree that this is a violation of the spec, can I offer a workaround?
I believe you can try specifying domain_hint or login_hint parameter as well to help the system determine valid session. Hope it would give you the right answer regardless of which session user is signed in at the moment.
Yes, this is a violation of the OIDC spec. We have created a bug.
If the error is only occurring because the STS is selecting the wrong session, you could use login_hint or domain_hint to help the STS select the right session.
Yes, that is in violation of the spec and defeats the purpose of prompt=none since the the application can't keep control of the user experience anymore. #vibronet may be able to set the record straight on MS side.