I am working on a project that uses Azure API Management (APIM) and requires Azure B2C to authenticate into the APIM portal and to make API calls within APIM. User accounts are considered "local" accounts in Azure AD (no social accounts). As a developer, I have several Azure B2C user accounts setup so I can test different scenarios.
The problem I am having is that I haven't found a way to switch user accounts effectively w/o Azure B2C 'remembering' my previously logged in account. Using MS Edge or Google Chrome, clearing cookies in the browser seems to have no impact on removing any previously cached login information. B2C somehow still seems to 'remember' the user account I had previously logged in with.
To make things worse, I had deleted a user account that I had previously logged in with and after doing that, I couldn't login to Azure B2C at all and got an error in APIM stating that it couldn't find the account.
I've attempted to force a logout by calling a logout endpoint like this:
https://my_domain.b2clogin.com/my_domain.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1A_signup_signin
That seems to have some impact, but not always... and it didn't resolve the issue of the deleted account.
So in a nutshell, is there a way to switch user accounts using Azure B2C?
As a very verbose way of doing it, you can try adding the parameter &prompt=select_account parameter to your login url.
Something like this:
https://my_domain.b2clogin.com/my_domain.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1A_signup_signin&clientId=..[many more]...&prompt=select_account
Check your browser's navigation history if you have troubly finding out your login URL.
Did you try incognito mode in Chrome? During auth process multiple endpoints are invoked, you could trace your auth with fiddler and notice endpoint that return set-cookie headers clearing cookies for these endpoints should result in "sign-out".
Related
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
I created a new Azure AD B2C.
I created a new application.
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
provided a redirect URL of my app (I also tried by giving external URL, https://jwt.ms)
Generated secret key and cerificates.
I enabled Implicit grant and hybrid flows.
I created a new user flow for signup and signin, run this flow from azure portal and it successfully runs and show token on https://jwt.ms.
I Cloned the sample app (WebApp-OpenIDConnect-DotNet), run it with default values which came in the sample app and everything works fine.
I Added my client id, instance, domain etc. settings to appsettings.json file.
When I run it, and click on login button, it generates the URL but it never takes me to the login page, instead it takes me to redirect url without any code or querystring in the URL.
I am expecting the azure AD B2C signin page to appear, and only after login , it will take me to the redirect URL.
Can you please guide me what I am missing here or let me know if more information is needed here ? I will try my best to provide as much information as possible.
As stated by Jas Suri, it was due to URI mistmatch. I checked in Chrome dev tool and found the issue.
Thanks for excellent community on stack overflow.
Issue summary:
msal.logout() appears to log the user out, but after "logging out" the user can click "login" and be logged in again without being required to enter their username and password.
This is a serious security issue for user's who login to our application on a public computer, then logout thinking that they have prevented someone from accessing their account.
Frontend is using Angular-msal 1.0.0 (Angular-oauth2-oidc has the same issue, so I think it's not the problem of js library).
Azure AD B2C built in user flow and xml custom policy both have this logout issue when login with federated AAD tenant user.
Any help would be appreciated.
Thanks.
The MSAL library provides a logout method that clears the cache in browser storage and sends a sign-out request to Azure Active Directory (Azure AD). Request will be done against the end_session_endpoint URL obtained from the B2C policy metadata. Keep in mind single sign out is supported only by custom policies and that it's scoped to the same browser, not device.
Just in case you are still facing any issue an idea would be to redirect using &prompt=loginin your auth url will revoke your login request with out user session.
I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.
The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?
Thanks in advance!
MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/
Sadly, it seems like this is not possible within the Azure B2C Preview.
From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.
Be careful with this, check if your site is not vulnerable to username enumeration:
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
Then the next time they can login through B2C
My relying party application uses Windows Azure ACS for user Authentication. I have ACS configured to use Windows Azure Active Directory (WAAD) as an identity provider. This is working for the most part and users can sign into my application using identities I have provisioned for them in WAAD. However, the problem I have is that if a user is signed into another Microsoft account, and in the same browser instance tries to sign into my application they get an ugly ACS error "ACS20012: The request is not a valid WS-Federation protocol message". For example, if I open Chrome and sign into the Windows Azure Management Portal using my Windows Live Id, and then open a new tab and try to sign into my custom app I will get that error. If I open a new browser or clear my cookies I can sign in just fine.
Shouldn't I be able to sign into both apps in the same browser instance?
Nope.
This is to ask to be signed into two Google Accounts (or two Live ID, or whatever two accounts) in the same browser's instance (which actually might be possible using Chrome, but the general case is NO). This is simply impossible today.
It is however ugly to see that error message in the ACS site. Have you configured an ERROR URL for your relying party application in the ACS? Although this property is optional, I strongly advice customers to actually use it, and properly handle requests to it. I haven't tried your particular scenario, but I assume ACS will redirect the user to the Error Url, once you configure it, so you at least know what happens.
Please configure the Error Url for your Relying Party and let us know whether user will be redirected to your site. You shall be then able to generate some proper error message.
UPDATE
If you say this only happens when you are logged-in the Azure management portal, than this (my speculation!) is almost same as sign-in with WAAD. Since the GA of WAAD there had been some changes. If you follow the actual login flow with Fiddler, you will notice that when sign-in to management portal has a bit different flow, then sign-in to Hotmail for instance. If you sign-in to Hotmail, you are just redirected to login.live.com you login and head back to Hotmail.
Now if you inspect the traffic when navigating to manage.windowsazure.com you will notice that there is a first redirect to login.microsoftonline.com (this is WAAD handled!). Then there is redirect to login.live.com (this is for your Live ID account). My speculation here is that WAAD from login.microsoftonline.com federates Live ID (login.live.com) for authentication. That's why you are actually logged in with WAAD, and that's why your app fails.
Please perform the following experiment to confirm whether I am wrong or not:
Delete all your browser's cookies
Go to Hotmail and login with your Live ID account
Now open new tab and open your custom application that federates WAAD via ACS
I suspect that now you will be able to login to your application.