Trying to implement following scenario: implement Azure B2c and azure AD as one of identity providers. Only way to achieve it is using custom policies. I followed those tutorials:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#prerequisites
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom#create-an-azure-ad-b2c-application
The problem is when i trying to upload TrustFrameworkExtensions.xml got info that my tenant
makes a reference to ClaimType with id "issuerUserId" but neither the
policy nor any of its base policies contain such an element.
Found similar issue here
https://github.com/MicrosoftDocs/azure-docs/issues/27602
and replace issuerUserId by socialIdpUserId. It seems to be solved but during upload another issue came up:
makes a reference to ClaimsTransformation with id
"CreateRandomUPNUserName" but neither the policy nor any of its base
policies contain such an element.
Got claims provider configuration from the tutorial and now i dont really have any idea how to fix it.
Thanks in advance for any help.
EDIT
Based on #CHris solution i make those files correct (no errors during uploading)
but there is still some problems with parsing returning token. Has anyone made example from the second link up and running (Azure ad b2c and many azure ad injected in multitentant azure ad).
Related
We are working on a use case in Azure AD B2C space, where we need to access the user’s MFA phone number (as shown in image below) entered while registering through the signup user flow or policy.
We tried exploring the graph endpoint https://learn.microsoft.com/en-us/graph/api/phoneauthenticationmethod-get?view=graph-rest-1.0&tabs=http#http-request to read this information, however, noticed that it doesn’t work well and the documentation also confirms that it should not be used for azure ad b2c.
We attempted to raise a support case with Microsoft and were told that it is by design and currently nothing the support team could do in this regard.
We also came across a few similar posts that goes several years back such as Azure AD B2C, get MFA verified phone number programmatically and surprisingly even after many years later, the issue still exists and remains unsolved.
Out of curiosity, we found that even Azure ad b2c portal makes use of the legacy graph.windows.net API to fetch and display this information on the user interface!
We would appreciate if anyone is aware of a potential workaround for this?
Many thanks in advance!
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD B2C user and enabled MFA:
Now, I added Authentication method for the B2C user like below:
To fetch the authentication methods or MFA phone number of Azure AD b2c user using MS graph API use the below query:
GET https://graph.microsoft.com/v1.0/users/ObjectID/authentication/methods
I try to get Azure AD B2C working on Mendix.
We have it working with the normal Azure AD this is quite easy because all is done in a gui.
For Azure AD B2C this is done in XML so a bit harder.
I have followed the next tutorials and this works all.
https://learn.microsoft.com/nl-nl/azure/active-directory-b2c/custom-policy-get-started
https://learn.microsoft.com/nl-nl/azure/active-directory-b2c/connect-with-saml-service-providers
If I try now to get it working with mendix I get the next error:
Application registered corresponding to IssuerUri "https://xxxx.mendixcloud.com" in AuthRequest does not have assertion consumer service URL "https://xxx.mendixcloud.com/SSO/assertion" specified in its metadata.
In the SAMLApp1 Manifest, I put the Mendix Metadata URL. That is the only thing that I need to change so far I can find.
Can someone maybe help?
In the SAMLApp1 Manifest you must change the identifierURI to https://xxxx.mendixcloud.com (issuer in the SAML request from mendix).
The metadata at 'https://xxx.mendixcloud.com/SSO/assertion' must have an ACS URL within it.
The past few days I have spent following this guide to setting up Azure B2C as an IDP in a SAML authentication flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
It was very helpful in getting me familiar with custom policies and I was able to get it working with the Microsoft Sample App as the Service Provider, but now I am struggling to figure out how to adapt what works with the Sample App to work with any real service providers that I am attempting.
Specifically, I would like to first setup Salesforce as our service provider, but am running into a wall that I am finding difficult to troubleshoot.
So far, I have created a single sign on setting in Salesforce and loaded it with the information from the metadata provided by the Azure custom policy, as well as updating the manifest for our SAML application to make the identifierUris point to the entity ID provided by the Single Sign On setting in Salesforce. The loaded data should be attempting to use the same custom policy that I was using to log in using the Sample Application and I have added the appropriate auth option to the Salesforce login page.
Now when I attempt to login through the SSO button that is on my Saleforce login page that ties to this setting, I am met with this error that I am unable to login with SSO before I am even able to enter my any credentials or met with a login screen: error
Given the somewhat vague nature of the error and the lack of logging or other tools to troubleshoot, I am sort of unsure what I might still be missing to get this working correctly or where I can even find this information. I suspect one thing that I might need still is to point the SAML app in B2C at a metadata url from Salesforce, but I have been unable to track down where I might find the metadata that Salesforce is expecting to provide it. It seems likely to me that the problem is on the Azure side of things since I am not even able to get the point where I can enter my credentials for Salesforce to reject the SAML response, and since the single sign on settings were loaded directly from the custom policy meta data XML, but I can't say for sure either way which is in part why I am not sure what to try next.
We have also looked into setting it up as an OpenID Connect SSO, but would prefer to get SAML working if possible as we are also planning to connect our B2C AD with several other applications that will require we use SAML.
Curious if anyone else has run into similar issues and was able to resolve it or if there are any ways to troubleshoot this that I might be overlooking.
Update
Using the SAML tool recommended I was able to find that the error I was hitting is as follows:
Application registered corresponding to IssuerUri "--EntityID--" in AuthRequest does not have assertion consumer service URL "--EntityId--" specified in its metadata.
According to a forum post on the SF help forums, the login URL of the Single Sign on Settings created in Salesforce should be the URL to use. However, when I attempted to add this URL to the replyUrlsWithType attribute in the manifest of the Azure app, I got an error on saving that a property has an invalid value.
Today, I integrated Salesforce as Service Provide against B2C as Idp. I did not try creating the app registration but instead I downloaded the Salesforce metadata and used it inside of my B2C policy like the code below.
Basically is the same but instead of save the Salesforce metadata(Login/Logout URIs) by registering a new application in B2C, I saved it in a XML file and pointed my B2C policy to use that metada.
<Metadata>
<Item Key="PartnerEntity">{Settings:B2C_SAML_PARTNER_ENTITY_SFE}</Item>
</Metadata>
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
I need to resolve the B2C login in a web application. I'm very new to B2C. The B2C token will contain the user information ? I can set it in the claims all the data that I need?
I must extend it from data from our DB, it is possible, too?
What specific issue are you running into? I can better diagnose your problem if you give me a bit more information.
If you follow the official Microsoft guide for ASP.NET web applications using B2C you can easily achieve B2C login. The guide comes with an accompanying Github sample that you can clone in order to achieve what you are looking for. Here you can also check out the B2C token reference page to see the contents of each type of token in B2C. You can use ID tokens to identify users in your app.
As for your second question, you can migrate data from your local database to Azure AD B2C but just cannot use Azure SQL. See this migration guide to learn how to do this using Azure AD Graph API.