We have a scenario where a logged-in user (SFA, authentication has been done by Azure policies) needs to do some high-value transactions.
To allow this, we need to throw an additional authentication challenge. (MFA)
If the user access was successful we need to enrich the token somehow to read in on the client-side.
Tried to use scopes for this scenario but as they set per application couldn't make it happen, any thoughts on how it can be implemented in Azure b2c?
Thanks
The usual approach is for the application to look at the "acr" claim. This claim tells the app which B2C Auth policy the user has last arrived with. Therefore, in your app implement this logic:
User clicks high risk item
App checks current token "acr" claim
If acr != "B2C_1_MFA", then redirect the user to authenticate via a sign in/up policy that has MFA enabled
You need to create a sign in/up policy with MFA enabled and the above logic to get this to work. The App only needs to know about the policy name to know if the authentication challenges have been satisfied.
If the user has already logged in when this B2C policy is executed, the built in Single Sign On will skip the user having to enter their credentials again, and instead will just need to complete the MFA step.
Related
In my custom policy I used the example here: https://github.com/azure-ad-b2c/samples/tree/master/policies/totp
I have TOTP working, but I want to make sure I will be able to reset it if a user doesn't have access to their authenticator app anymore.
NOTE: This is NOT using Azure B2C's built-in flows where you can enable TOTP in the settings.
This seems like an Admin controlled operation. In which case
List the softwareOathMethods for the user, here.
Delete the softwareOathMethod for the user, here.
The B2C policy will then ask the user to re-enrol an authenticator device on next sign-in.
About the sample "https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation".
Someone who has already used it, can you comment on how you handled the authentication logs? I noticed in the B2C Logs both the user who is "Impersonated" and the user who is "Impersonator", I did not find any records that indicate that there was an "impersonation" process.
The Token generated in this process is for the "Impersonator" user, and has information about him, is it possible to bring information about the "Impersonated" user?
There will be nothing official in the logs generated by AAD B2C for this impersonation, and AAD B2C does not know the context of your AAD B2C policy. It can only understand that a token is issued for a particular user, not a custom process that allowed it.
What you can do is use App Insights to inject your own custom events to create logs.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/analytics-with-application-insights?pivots=b2c-custom-policy
I'm designing a single-page app (SPA) and API that will support multiple tenants, including in the same client browser. Imagine an experience similar to the Azure Portal, where users can switch between identities that they have signed into Azure AD with, except that in this case I'm using Azure AD B2C. All sign-ins happen via a single Azure AD B2C instance. Importantly, the tenants do not necessarily have to be aware of each other since they are white-labeled -- the user might be redirected to https://multitenant.app/tenantA and sign in via B2C, and have a totally different experience when directed to https://multitenant.app/tenantB and signing in via B2C there. The two tenants do not need to share data between themselves on the client.
How might I go about:
1) designing the client so that requests to https://multitenant.app/tenantX are directed to Azure AD B2C in a way that enables sign-in using the rules for tenantX, and
2) designing the client so that the MSAL.js library correctly provides a token store containing tokens specific to tenantX when the user has navigated to https://multitenant.app/tenantX in the browser?
Currently I'm expecting to need to intercept requests to the backend API on the client, determine if a redirect to B2C is necessary first in order to sign in to the tenant that the request is for, and attach the appropriate access token for that tenant to the API request. (All this is assuming that I use the Implicit Flow so that I have the access & refresh tokens available on the client.)
Does this make sense? Is there a better way? I've debated using session cookies issued by the server so that the browser handles the "intercept-requests-and-attach-credentials" aspect of this, so maybe that's an option that would avoid the need to maintain all these tokens on the client?
And how does this work when the client signs into B2C? Can I tweak/disable the B2C SSO capabilities sufficiently so that a single user agent (browser) can still obtain multiple different tokens (for different identities)?
The approach needs to be a bit different. This is how Microsoft do it with their "tenant picker" in the Azure Portal.
We hold a mapping of in which tenants your account lives in
We then list the tenants in a tenant picker UI in the app
When you switch tenants, we do an SSO authentication to the new resource (ie the selected tenant) to get a token to it
We use the new token to evaluate your rights in this tenants subscription
To translate this in AAD B2C you can:
Hold a mapping of identifier to 'tenant'
On authentication, call your API to get a list of tenants. Use this sample to list the tenants in the authentication flow
The user selects the tenant, or maybe you do it like Microsoft and have a default preference, in which case the step above is skipped using a B2C precondition. This way the user only goes through selecting a tenant in the auth flow once. Afterwards they use an in-app tenant picker (read on...)
The token issued to the user has the tenant inside it as a claim, this will then be used to do authorization when this token arrives are your API.
In the SPA, now render a tenant picker, use the same API as used in step 2 essentially
The user can select a new tenant in the SPA, use id_token_hint (example) to seed a new B2C user journey with the selected tenant. The user will get SSO through this journey and get a new token with the new tenant inside it as a claim.
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content
We have an application that supports seamless login with our Azure AD tenant account via OpenID Connect implicit flow. If user is authorized to access the app providing Azure AD issued evidence - access will be granted automatically, otherwise we show regular application login screen.
Every time when user authentication is required we redirect the user to the Azure AD login page (https://login.microsoftonline.com/xyz) specifying prompt=none.
Respecting the ODIC specification such flag should have the following effect.
The Authorization Server MUST NOT display any authentication or
consent user interface pages. An error is returned if an End-User is
not already authenticated or the Client does not have pre-configured
consent for the requested Claims or does not fulfill other conditions
for processing the request. The error code will typically be
login_required, interaction_required. This can be used as a method to
check for existing authentication and/or consent.
It generally works as expected, however, there is a case where Azure AD login page will show an error screen to the End User and it happens when User logged into another Azure AD tenant.
User account '...' from identity provider
'https://sts.windows.net/.../' does
not exist in tenant '...' and cannot access the
application '...' in that tenant. The
account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory
user account.
The questions are:
Does not it violate the ODIC specification?
How to properly handle such cases in seamless for users fashion? (app is not in charge of what is going on after redirect to Azure AD).
Though I also agree that this is a violation of the spec, can I offer a workaround?
I believe you can try specifying domain_hint or login_hint parameter as well to help the system determine valid session. Hope it would give you the right answer regardless of which session user is signed in at the moment.
Yes, this is a violation of the OIDC spec. We have created a bug.
If the error is only occurring because the STS is selecting the wrong session, you could use login_hint or domain_hint to help the STS select the right session.
Yes, that is in violation of the spec and defeats the purpose of prompt=none since the the application can't keep control of the user experience anymore. #vibronet may be able to set the record straight on MS side.