I'm struggling to find an example of this or how to do it, I'm sure that it's possible. Below the the scenario
User directed to to custom policy
User asked for email address
Policy then checks the email address against a database (via Azure Function). This function will return the provider to use. At the moment either https://login.microsoftonline.com/organizations or b2c
If the function returns https://login.microsoftonline.com/organizations then direct to Microsoft Sign in (passing email as hint so it's already filled in). This will then return back to the B2C signin flow
If B2C is returned then authentication is carried out by the B2C
Once user is authenticated via microsoftonline or B2C returned to app as normal
I know that external functions can be called from a custom signin policy. However, it's the user journey where it will send of to microsoftonline to sign in or carry on with the normal B2C flow that I'm struggling with. This artical is close https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga, however, I want this choice to be made dynamically based on return value from an Azure Function.
Hopefully, someone will understand what I'm talking about
We call this home realm discovery, see this sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/default-home-realm-discovery
The sample uses a lookup inside the B2C policy itself, with a claims transformation. But you could swap that out for a REST APi instead if needed.
Related
I'm building a web app (SPA) that is a case management system. Each user (mainly external to organisation) has a case on the system. I've been told by an architect we should be able to use Azure AD B2C to allow the users to login on this so I've been investigating this.
From what I can see I will get a token back from B2C saying the user is authenticated. What I don't understand is what use is that? Ok the user is authenticated but I have no idea who they are i.e. I will need to identify their case ref somehow so I can bring back their details...
If i was doing this in the old days when they login they'd be checked against a user table then their ID would be used to get their case details .. a token and data object would be returned from an api.. job done
I don't see how this would work in Azure AD B2C... am i missing something?
The JWT that is returned contains a configurable set of claims.
You can use these to identify the user. Typically, this would be email or UPN.
In your case, you need a userID. If this isn't one of the supported attributes, you can use an extension attribute to store it.
B2C can also call an API (if you use custom policies) so you could call an API to get the userID from e.g. a table and then return it as an extension attribute in the JWT.
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
We are facing an issue while implementation Authentication using Azure AD B2C Instance.
Our Requirement:
SignUp:
For the Signup process, we have to call external API to check some status in that API, if iAPI returns true then create a user in Azure AD B2C, or else return with some error on it.
Assume if a user is created successfully in Azure AD B2C (with in the same Userflow), and now we want to store some custom fields that we have configured in Azure AD B2C, those custom fields need to be also stored in our own database, and not in default database provided for Azure AD B2C.
SignIn:
For Sign in process, we have to call external API to check some status in that API, if API returns true then continue with the Authentication flow or else return it with some error details.
Please help me with this.
Solution Approach:
Approach 1: User inbuild provided UserFlow in Azure AD B2C (SignUpSignIn, SignUp, SignIn, PasswordReset, Profile)
Problem Facing for Approach 1:
During the authentication process, we want to include our own customized page for MFA after the signup or sign-in page.
We are not able to call external API after the user successfully created or login with the existing Userflow.
This is pretty "easily" achievable using the Custom (Trust Framework) Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
There's also a nice example of using a REST API within
https://github.com/azure-ad-b2c/samples/tree/master/policies/rest-api-idp
Note: The example here is using the REST call for authentication purposes, but should outline how you use a REST Technical Profile to achieve the flow you are looking for.
Are in B2C Custom Policies a way to validate claims comparing them?
Lets say we need to validate the user postal code to reset a password, can we do:
insertedPostalCode == actualPostalCode ( compare two claims ).
Of course, this is after reading the user from B2C using a email, or some other signin name.
You can absolutely do this.
I'm going to assume you're using B2C custom policies.
Use a claims transformation, either the AssertStringClaimsAreEqual, or the CompareClaims, in a technical profile that can be added as a validation step in the self asserted page you are using to collect this postal code from the user.
Here are the Microsoft docs that should point you in the right direction.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#assertstringclaimsareequal
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#compareclaims
The cx needs to set up a dynamic response in the sign in policy, B2C, that depending on the scenario, a custom message is displayed / triggered. Specifically:
I need to create new IDs with new message. Is it possible? Thanks.
ID Default message Localized / customized message
UserMessageIfInvalidPassword Your password is incorrect
UserMessageCustomID1 Your trial has expired
UserMessageCustomID2 No license aliable. Please contact support#...
This is what the cx is trying, and have done already:
This actually is piece of code in the REST API (in PHP). I defined the following ClaimsProvider which reference to that PHP file and then included it in the TrustFrameworkExtensions.xml file. I hope this information helps. Thank you.
So, it loops back to my question, I don't know how to display a custom error message either from a REST API call or with a predefined ID (e.g., a self-defined ID UserMessageNoEnoughLicense just like a predefined ID UserMessageIfInvalidPassword).
I'm referring to this document https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids.
You can make use of your RESTful API in your SISU policy/flow. Design the integration with the RESTful services in the following ways:
Validation technical profile: The call to the RESTful service happens within a validation technical profile of the specified self-asserted technical profile, or a verification display control of a display control. The validation technical profile validates the user-provided data before the user journey moves forward. With the validation technical profile, you can:
Send claims to your REST API.
Validate claims, and throw custom error messages that are displayed to the user.
Send back claims from the REST API to subsequent orchestration steps.
Claims exchange: A direct claims exchange can be configured by calling a REST API technical profile directly from an orchestration step of a user journey. This definition is limited to:
Send claims to your REST API.
Validate claims, and throw custom error messages that are returned to the application.
Send back claims from the REST API to subsequent orchestration steps.
You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:
During sign-in, just before Azure AD B2C validates the credentials.
Immediately after sign-in.
Before Azure AD B2C creates a new account in the directory.
After Azure AD B2C creates a new account in the directory.
Before Azure AD B2C issues an access token.
Then, use the error message response from the API to override the message IDs mentioned here.
RESTful error messages can be found here.
You can visit this link for more information on how to implement it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-intro#sending-data