I have two applications: let's say application A and application B that are running on different ports i.e. 6420 and 8000.
Theses applications are registered in the B2C tenant and are using the same 'signInUp policy'.
I am able to authenticate the user with MSAL.js (Microsoft Authentication Library).
Kindly let us know what needs to be done at code end for SSO implementation on different domain applications.
In a B2C policy, you can control the SSO experience per Policy. In the "Token, session & SSO config" part you can configure the SSO behavior:
In this section you can limit the SSO to:
Tenant (every application in B2C)
Application (SSO through different policies on the same app)
Per policy
Disabled (No SSO)
This documentation and Github sample show you how to set up the SSO:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/active-directory-b2c-token-session-sso.md
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
See also: https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp
Related
Is it possible to configure msal to work with two different apps simultaneously? Or perhaps is it possible to have two instances running in parallel on the same Single Page Application SPA?
Specifically, I have a business app that is accessed by both B2C users and Corporate users. The business prefers that the Corporate users be able to log into the app without the need to create an additional B2C account (and using a federated B2C sign-in type). This would mean that I need an app in the B2C tenant and the Corporate tenant, and my single page application app would be protected by either app for any given user.
In other words, if you follow this link:
https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial#chapter-1-sign-in-a-user-to-your-application
it gives instructions for how to sign in with Azure AD, and how to sign in with Azure AD B2C. But how would I go about doing both at the same time?
I've registered the B2C SAML app with the help from https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
I'd like to try Idp initiated sign-in using myapplications.onmicrosoft.com, but I could not find the my SAML app on myapplications list. I guess the reason being that "App registration" based SAML application is not displaying under B2C tenant active directory "Enterprise Applications" blade. In Idp Initiated myapplications.onmicrosoft.com will only shows the apps icons of enterprise applications list?
My question here,
Why Azure AD B2C "App registrations" - owned SAML application is not listing under B2C tenant enterprise applications? Is this expected behaviour?
If I need to use Idp initiated sign-in page for my B2C SAML application, what would be the correct approach?
I appreciate if you can shed any light on this.
Thanks.
Yes that is expected.
The federation style app registration(Saml or ws-Federation) is intended to provide Idp for old Apps(Saml or ws-Federation) living in other realm. As they has nothing to do with the AAD B2c, Enterprise application (local representation or service principal of the app) is not needed. Also they are pretty old protocol comparing to oath2/openid connect.
So in AAD world, you want to register you app using the default app registration, where you can choice single tenant(an enterprise application will be automatically created in the same tenant) or multiple tenant(manually create enterprise application in each tenant) and you use oath2/openid connect to initiate login.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c?view=aspnetcore-5.0
.
To answer the second question, it's described here.
You need to set:
<Item Key="IdpInitiatedProfileEnabled">true</Item>
and the URL is of the form:
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/generic/login?EntityId=app-identifier-uri
I am working on setting up Tableau server. I want end users who login with their Azure AD B2C credentials to see some of the visualizations we build in Tableau.
While setting up Tableau, I noticed that Tableau works with Azure AD Domain services only. Two of our user groups in Azure AD is synched with ADDS. So I am able to add those users to Tableau.
However, I do not see similar synchronization option between ADDS and AD B2C.
Question: ADDS is only for Azure AD and not for AD B2C? Any suggestions to achieve my goal mentioned in first two lines?
From official documentation
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
it is meant as a mean to help customer that are using active directory on premise to migrate their domain controllers to Azure domain services and still support authentication and traditional management using OU, LDAPS and Kerberos.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud
Azure B2C
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page (SPA), and other applications.
basically this is meant to support modern authentication for applications using OIDS,OAuth2, SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/#:~:text=Azure%20Active%20Directory%20B2C%20(Azure,SPA)%2C%20and%20other%20applications.
so you cannot use AADS (Active Directory) to manage B2C authentications.
to configure Tableau with Azure Active Directory I suggest you use SAML as described in official documentation:
Tableau SAML
https://help.tableau.com/current/server/en-us/saml.htm
Azure B2C SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
you should have something like the below
User navigates to the Tableau Server sign-in page or clicks a published workbook URL.
Tableau Server starts the authentication process by redirecting the client to the configured IdP (Azure B2C).
Azure B2C requests the user’s username and password from the user. After the user submits valid credentials, Azure B2C authenticates the user.
Azure B2C returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Server.
5.Tableau Server verifies that the username in the SAML Response matches a licensed user stored in the Tableau Server Repository. If a match is verified, then Tableau Server responds to the client with the requested content
I have 4 Node.JS Application frontend angular with different domains, I have implemented Azure AD B2C
I need to implement SSO or Single Sign On in my applications
How can I set it up, what is the recommended way.
I checked https://github.com/AzureAD/passport-azure-ad
but there is no documentation on setting up SSO for Node.JS applications or sample codes.
Go to Azure AD B2C->User flows(policies)->find your sign in policy->properties->you will find the single sign-on configuration.
The default setting is tenant which allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one.
Reference:
Configure session behavior in Azure Active Directory B2C
I want users of my application authenticated in a couple of on-premises ADFS servers.
I setup Azure B2C working together with ADFS as SAML identity provider.
The setup process is described here in MS official docs https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
That was complicated, but now my custom policy B2C_1A_SignUpOrSignIn works, in meaning that it redirects to B2C login page with buttons first, then I click a button and system redirects to ADFS login page, where asks users for login and passwords.
But how to integrate it with a .NET or Node.js application?
Any code examples?
Samples for different platforms can be found at Azure Active Directory B2C code samples.
If a sample application references a built-in policy, such as "B2C_1_SignUpOrSignIn", then you must replace this with your custom policy.