I have a B2C successfully logging in to a B2C. B2C is configured to use a SAML IdP, which it does on login. However, a logout message to B2C results in B2C calling back to the application's logout url but not to the SAML IdP. The user thus effectively stays signed to the IdP and is never re-challenged on new logins to the B2C. Is there something that needs to be setup in the policy for that?
In my own experience, single sign-out is only supported by Azure AD B2C for the Microsoft Account identity provider (where the identity provider session is ended using a hidden iframe), not for any other identity providers.
Related
Setup
I have a identity provider that gives me an accesstoken and a auterization code that I have connected to a B2C userflow.
Problem
For some reason the userflow replaces the autorizaion code from the identity provider.
By looking at the responce from fiddler one can see that the provided code(FNIwnd....) is replaced with a unknown code(eyJraW....) in the three last reponces.
A virtual kiss/highfive or solid handshake to anyone who knows what this is!
AAD B2C trades your identity providers authZ code for a token. It happens on our server side, so your client trace doesn’t capture that. If successful, this means the user is who they say they are at the IdP.
Then AAD B2C issues it’s own authZ code back to the app, and the app trades that authZ code for AAD B2C tokens.
AAD B2C (App/RP) <-> Your IdP (IdP)
Your app (App/RP) <-> AAD B2C (IdP)
AAD B2C is acting as an app and an IdP in this scenario.
I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.
When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.
What are my options?
Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.
The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.
I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:
<UserJourneys>
<UserJourney Id="SignUpOrSignInPolicyA">
...
</UserJourney>
<UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
...
<RelyingParty>
So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.
I have an application that uses oauth to sign user in with my azure ad b2c tenant . Now i want that my app has a button that links the user to third party application from my website and i want to authenticate that user to third party application using SAML with my azure b2c tanent acting as idp and sending saml to third party on user's button click.
Is this scenario possible. ???
Yes, it is possible. What you mean is SAML as RP.
In SAML as RP case,
B2C acts as IDP
B2C accepts SAML requests
B2C sends SAML assertions as output
I can help you if you stuck anywhere...
Yes you can do this with B2C custom policies.
Your logon page will now have two buttons:
Normal B2C auth
SAML auth to third party
When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.