I am using Azure ADB2C in my Xamarin app to provide authentication to my app. One of the 'claims' that ADB2C returns to the app is a 'User is new' bool value which can be used to direct the user journey within the app.
This could be quite useful. However the flag's [true] status persists longer than it is welcome. I would expect that a user 'is new' when they [create an account, login, do some stuff], and after that they are no longer 'new'. The flag seems to change to [false] after an unspecified amount of time.
I cannot find any documentation on how long the 'new' status lasts, or how to push a change.
The user is new flag will be true for first time when authentication happens. If a token is being issued second time, new user flag will be set to false. You can check from network traces, when this value becomes false, was a new token issued?
Related
I have been trying to create an SSO from Azure to ServiceNow. However, I am stuck at this error.
User: 6pGO5pzp9boSuAj82Cj6bK8aBeet9HKUdhNfUzalsKI= not found Ensure
that the user you are trying the test connection with is present in
the system. Ensure that 'User Field' property value corresponds to the
value set in the IDP returned through 'Subject NameID' in the
response.
I have tried different ID Policies. All of them give the same error though. This is the one I am using
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Can anyone helpout a little?
I was getting this same error until I changed the NameID Policy to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
User Field (under advanced): user_name
Type cache.do in filter navigator. Press enter.
Clear your browser cache.
Test connection.
See if that works and let me know.
I have created a custom claim "is approved" and set it to false while users signup.
what I need to to do is to prevent users from login based on this attribute and show an error message "your account is under review please try again once the account is approved"
how can I accomplish this using B2C custom policy
also, I tried to set "accountEnabled" to false but in signup always getting account is locked error message
In the technical profile for sign in, after calling login-NonInteractive, You can try reading the user using the object id. So read the flag "is approved". If It's set to false, write a claim transformation technical profile to assert the "is approved" value and throw an error.
Claim Transformation - Boolean Assert
Use Claim Transformation technical profile in validation technical profile
One way is to use the “Paragraph” user input type that gets triggered by a precondition.
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.
I have a requirement to eliminate multiple active sessions from being allowed on our site.
It is my understanding that to do this you can manipulate the validateInterval parameter of the OnValidateIdentity property of the CookieAuthenticationProvider as below:
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0), //Changed from default of 30 minutes
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
I changed the default value from 30 minutes to 0 for testing and it works as anticipated. If I log in to a second browser the next action taken in the first browser redirects me to the login page.
I also allow users to change their password whenever they want (after login). With the validateInterval property at zero, the user is logged out immediately after submitting a password change. They then log back in with the new password and are able to use the site as normal.
If I change the validateInterval parameter value to say 10 seconds, the user is allowed to continue the current session after submitting a password change for 10 seconds and then is redirected to the login page.
Inside the ChangePassword action of the ManageController class the default code that runs after a successful password change is this:
if (result.Succeeded)
{
var user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
if (user != null)
{
await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);
}
return RedirectToAction("Index", new { Message = ManageMessageId.ChangePasswordSuccess });
}
I thought that the line SignInManager.SignInAsync would keep the user's session going even through a password change (from Logout User From all Browser When Password is changed), but it seems to be controlled additionally by the validateInterval parameter.
If I wanted to allow a user to change their password during an authenticated session without forcing then to login again, could I do this with ASP.NET Identity and still control multiple active sessions? Is there a better way to control multiple active sessions without changing the validateInterval parameter (from Prevent multiple logins)?
Thank you for your help. To clarify, if this behavior is by design, I am fine with it. I just want to understand what is going on so I can defend the behavior to my boss if needed.
Edit:
I failed to mention that I also update the security stamp directly prior to the sign in via SignInManager in the Login action.
Doing what you're doing does not prevent multiple active sessions. I'm also assuming by "sessions" you're talking about multiple authentications by the same user account. Multiple active sessions, in the truest sense, is an entirely different discussion. That said, the cookie that's set to maintain the user's "authenticated" state is client-specific. If I log on from my desktop computer and from my mobile device, or even from both Chrome and Internet Explorer on the same computer, those are all different cookies, unaffected by other cookies that may have been set on other devices or browsers.
The only way you could truly prevent this is to somehow mark the user as "logged in" server-side (i.e. a column on your user table for example). Then, before authenticating them anywhere else (basically in your sign in post action), you would check their user account for this flag. If it's already set, then you would refuse to log them in again until they first log out on the original device/browser. Obviously, your log out action would have to then unset this flag, so they would be allowed to log in again elsewhere.