In azure b2c, I have a standard "Sign up v2" user flow with multiple providers including local accounts.
When I navigate to the signup page and click on "email address" (meaning signup with a new local account) it redirects me to the correct local signup page but the standard fields (email, password, etc) do not get added to the page. There are no errors in the javascript console or network access failures.
The setup in question has a custom "idp selection page", a custom "local account signup page" and javascript layout turned on in the user flow. Neither custom page has any javascript so nothing gets altered on the page (although I do need to add some). It works as expected when I turn javascript off, use a standard idp selection page or use a standard local account signup page.
The most interesting observation I have is in the fail case the url used when "email" is clicked is in the form:
https://<custom page domain name>/tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
In the cases that succeed the url is in the form:
https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
The navigation that occurs when the user clicks on the "email" button seems outside of the control of the configuration options, it seems to be completely internal.
To be clear, in the case where I have a custom idp selection page and standard local signup page and the case where I have a standard idp selection age and custom local signup page the url is in the form
https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
Its only when both are custom and javascript is on that it uses the custom page domain.
Any idea where I can look to fix or get more details on this?
Related
Is it possible to add a button to a screen on a custom policy, so that if a user clicks on it, they are redirected to the start of a different custom policy?
This is not possible directly through custom policy logic.
You need to add a link to your app using custom HTML, eg myapp.com/launchPolicy2, and put this link on your login page. When the user clicks this link, the user is sent to your app, and the app should start a new authentication flow using the new authority URL (which contains the new B2C policy Id).
Use this guide to add custom HTML:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
I've personalized a user flow to use a HTML page and it works very well. I've also added it to the login user flow.
My problem is when the user goes to the reset password flow (that is right), send the code to his email and click "Continue". The page after, where the user inputs the new password, doesn't have the HTML that I've personalized and I don't find where I can do set it.
Thanks for any help!
So, I've found it!
On Page Layout there are multiple Layouts associated with the User Flow.
I just added the custom page to the Layout Change password page and that's it.
I have a link on my website that takes a user to the Azure AD edit profile page. I have customized that page by adding 2 links at the bottom. One is for the user to change their password and the other is to update a phone number. These are 3 different policies within Azure AD. When I initially link to the page from my site I am sending a clientID and a redirect_uri in the query string. Unfortunately this is getting converted to a csrf_token and those query string parameters are gone so I don't have access to them to include them in the change password and change phone number links. When the user clicks on the links obviously they fail. How do I link someone from one custom policy page to another page in Azure Active Directory? My custom page uses javascript, css, and html. No server side code other than what Microsoft injects.
You should have a link back to your application, and your application should understand that this route starts a new authentication journey with the appropriate authentication library with the desired policyId for this URL path. Do not link B2C journeys directly from within your custom HTML, you go via your application.
We are currently using the B2C_1_SignInNative User Flow in an Android and iOS app. That user flow has a User Name and Password UI as well as a "Don't have an account? Sign up now" optional flow.
We are using the out of the box customisation capability to show a custom wrapping page into which the standard UI is injected. This has served us well while the app has only been available as private release however we will soon be moving to public app store so will be inviting users outside of the app and the app B2C flow will be sign in only.
We'd like to remove the "Sign up now" flow from existing installs. Is it possible to remove that? Alternatively are we allowed to add some custom CSS to our wrapping page to hide the link?
UPDATE
So we definitely can add some custom CSS to hide the "Sign up now" action but unfortunately the page and contents are cached in the app browser. We are relying on the Microsoft.Identity.Client library to show the browser UI
It seems that you are using a "Sign up and sign in" flow.
In order to not have the "Sign up now" option, you can create a "Sign In" only flow by selecting one of the bellow during flow creation:
My company has just obtained Kentico for some new applications. These applications will be going into production in about 2 weeks, so we are still fairly new with this. What we have are three ASP.NET MVC applications/sites that format and present content that is stored in Kentico. Additionally, we have specific users who will log into the Kentico9/Admin site to manage the content displayed by the MVC apps.
From a corporate standpoint, we also have Siteminder SSO enabled. When a user navigates to our Kentico9/Admin site, they are first authenticated by our corporate Siteminder SSO form using their corporate user id. When they are successfully authenticated, Siteminder redirects the user to the Kentico9/Admin site they originally requested and the user is presented with the standard Kentico login form. If the user has already logged in through Siteminder during another session, they only get presented with the Kentico login form. Otherwise, if this is their first time logging in, the user is required to login twice (once through Siteminder and again through Kentico).
What I want to do is bypass the standard Kentico login form and use the Siteminder information to Authorize the user to log them into the Kentico admin site. Siteminder adds the username and some other information to the HTTP request headers. Using C#, I can retrieve their corporate user id using the following: System.Web.HttpContext.Current.Request.Headers.Get("SM_USERID").
So, in a nutshell, I want to override Kentico's standard login form and write some code that will get the user id from the HTTP request header and authorize the user by looking up their userid in Kentico. If the user id is not found or is not active, present the user with the standard Kentico login form. Otherwise, if the user is a valid and active user, pull their user record and allow them to access Kentico.
I have found some tidbits of information and given enough time, I may be able to figure something out, but I am hoping someone has done something similar and can speed up my process. Any ideas on what I can do? I will also entertain anything that might have tighter integration with Siteminder, although it doesn't seem Kentico can handle Siteminder out of the box, but I am not sure about that.
Sounds like you might be able to create a custom webpart which you will place on a page and simply have Siteminder redirect the user to the page with that webpart on it and look for those header values on page load. If it finds them, perform your actions within Kentico to look that user up and authenticate them in Kentico as needed. If there are no header values or it can't find the Kentico info, simply send them to the regular login page.
You could also create a global event handler but that would require someone to click a button or such on your site after they have entered credentials.