Azure AD B2C and ADFS as SAML IdP. Code example? - azure

I want users of my application authenticated in a couple of on-premises ADFS servers.
I setup Azure B2C working together with ADFS as SAML identity provider.
The setup process is described here in MS official docs https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
That was complicated, but now my custom policy B2C_1A_SignUpOrSignIn works, in meaning that it redirects to B2C login page with buttons first, then I click a button and system redirects to ADFS login page, where asks users for login and passwords.
But how to integrate it with a .NET or Node.js application?
Any code examples?

Samples for different platforms can be found at Azure Active Directory B2C code samples.
If a sample application references a built-in policy, such as "B2C_1_SignUpOrSignIn", then you must replace this with your custom policy.

Related

Can the MSAL API be used with B2C only - or B2B application too?

We're considering to use Azure AD B2B OR B2C for SSO service. We will not be using Azure B2B built-in SSO login page OR B2C custom-policies based login page. We've our own custom login JSP page that we plan to use MSAL Graph APIs for calling Azure AD authentication services.
Questions:
Is this MSAL APIs applicable to B2C only, or can we use this with B2B tenant application as well? All the documents and guidance that I can take as an example uses B2C tenant app only.
If I am using MSAL OAuth 2.0 authentication services for my custom login page, I assume we don't need to rely on SAML SSO configuration. Or would it be possible to use mix of these services (i.e. SAML for basic login authentication, MSAL OAuth2.0 calls for self service account registration)?
I appreciate if anyone can shed some light on this.
Thanks.
B2B and B2C serve two different purposes. B2B is meant for you to use to invite external federated users to your directory using their own credentials whereby you can assign them access directly to your resources. On the other hand, B2C is a separate directory where you allow users to register, optionally using their own credentials from federated providers as well. If your aim is to SSO to a local AzureAD protected resource, then clearly you're going to have to tell that resource to use the B2C directory as an IdP as well. Hence, B2B is much simpler for SSO, but a big differentiator is scale. If you plan to invite a massive number of users, then this it is not a good idea to user B2B.
MSAL uses standard protocols such as OAuth 2.0 and OIDC to authenticate directly to any supported IdP, including Azure AD or Azure AD B2C. Being a guest user or not has no bearing on that process. It is also important to mention that B2C does require either a User Flow or a Custom Policy to function.
So to answer your questions to the best of my ability:
1- MSAL libraries work similarly for both Azure AD and Azure AD B2C. There may be some configuration differences in case of B2C to supply additional information regarding the policy name, etc. But they work all the same.
2- MSAL itself does not support SAML authentication. For that you'll need a library which can perform SAML authentication. While Azure AD supports SAML natively, Azure AD B2C requires you to setup a custom policy to configure SAML authentication.

Does Azure AD B2C allow login on the custom domain login page instead of https://<tenant-name>.b2clogin.com page?

I have registered an application in Azure AD B2C. Once try to access the application's login URL(E.g. - https://contoso.com/api/v1/login), it redirects the request to Azure AD B2C URL(E.g. - https://contoso.b2clogin.com). On successful login it redirects to the application home page(E.g. -https://contoso.com/api/v1/home).
Is it possible to achieve the same functionality by providing the user's login credentials on the application login page(https://contoso.com/api/v1/login) itself and not redirecting to the Azure AD B2C login page? The backend application can validate the user using Azure AD B2C URL behind the scene and return the authentication token on successful login.
Please suggest and provide some node js code if possible.
You can use B2C Custom domains for a better user experience:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow
Update:
Using MSAL 2.0 without implicit flow in your app registration allows it opening a popup.
Node info here.
It is possibe by using ROPC flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
You should keep in mind though that OAuth2 best practice discourages from using this flow - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4

Is Azure AD B2C with Azure AD Domain Services possible?

I am working on setting up Tableau server. I want end users who login with their Azure AD B2C credentials to see some of the visualizations we build in Tableau.
While setting up Tableau, I noticed that Tableau works with Azure AD Domain services only. Two of our user groups in Azure AD is synched with ADDS. So I am able to add those users to Tableau.
However, I do not see similar synchronization option between ADDS and AD B2C.
Question: ADDS is only for Azure AD and not for AD B2C? Any suggestions to achieve my goal mentioned in first two lines?
From official documentation
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
it is meant as a mean to help customer that are using active directory on premise to migrate their domain controllers to Azure domain services and still support authentication and traditional management using OU, LDAPS and Kerberos.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud
Azure B2C
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page (SPA), and other applications.
basically this is meant to support modern authentication for applications using OIDS,OAuth2, SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/#:~:text=Azure%20Active%20Directory%20B2C%20(Azure,SPA)%2C%20and%20other%20applications.
so you cannot use AADS (Active Directory) to manage B2C authentications.
to configure Tableau with Azure Active Directory I suggest you use SAML as described in official documentation:
Tableau SAML
https://help.tableau.com/current/server/en-us/saml.htm
Azure B2C SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
you should have something like the below
User navigates to the Tableau Server sign-in page or clicks a published workbook URL.
Tableau Server starts the authentication process by redirecting the client to the configured IdP (Azure B2C).
Azure B2C requests the user’s username and password from the user. After the user submits valid credentials, Azure B2C authenticates the user.
Azure B2C returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Server.
5.Tableau Server verifies that the username in the SAML Response matches a licensed user stored in the Tableau Server Repository. If a match is verified, then Tableau Server responds to the client with the requested content

How to implement SSO in Node.JS Azure AD B2C

I have 4 Node.JS Application frontend angular with different domains, I have implemented Azure AD B2C
I need to implement SSO or Single Sign On in my applications
How can I set it up, what is the recommended way.
I checked https://github.com/AzureAD/passport-azure-ad
but there is no documentation on setting up SSO for Node.JS applications or sample codes.
Go to Azure AD B2C->User flows(policies)->find your sign in policy->properties->you will find the single sign-on configuration.
The default setting is tenant which allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one.
Reference:
Configure session behavior in Azure Active Directory B2C

Azure AD B2C custom native login screen for iOS

How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.

Resources