Use Azure OpenID Connect with AD B2C for single sign on - azure

I'm using Azure OpenID Connect with Active Directory B2C multi-tenant application for login purpose on my set of applications. Most of the users login using Google social provider of B2C, but for now I'd like to keep the option to use AD open. I use a single B2C application to login to multiple sub-parts of my applications, using different domains, different programming platforms etc - I just allow many return URLs in the B2C app.
What I'd like to achieve is a true single sign-on: possibility to login once and then to access all the sub-applications that use this B2C app.
Currently, when I login to one sub-app and then try to access some other one, I need to choose my Google account (when I'm logged in using Google connector). I'd like to remove the necessity of any human interaction in the process of accessing other parts of the app, when I'm already signed in (of course automatic redirects are fine). Is this possible with B2C/OpenID Connect?

Related

Federate multiple IdP with OIDC to Azure B2C and authentication without user interaction

We are trying to use Azure B2C for a use case where we did not find much information. The idea is that several partners, each with their corresponding IdPs, will embed in their web and mobile applications our platform.
This platform can be consumed via API or via WebView, depending on the maturity of our partners' applications. Partners want to federate their IdPs with our Azure B2C with OIDC.
The problem comes with the user experience that we are proposing. The user is facing a double login with the same credentials. One time when entering the partner's app and a second time when entering the tab of our functionality inside the partner's app (our B2C redirecting by OIDC to the partner's IdP).
Is it possible to do this flow without the user re-entering his credentials inside each partner's app to access our services?

How to configure msal.js to use two Authorities (Apps) (AAD & AADB2C)

Is it possible to configure msal to work with two different apps simultaneously? Or perhaps is it possible to have two instances running in parallel on the same Single Page Application SPA?
Specifically, I have a business app that is accessed by both B2C users and Corporate users. The business prefers that the Corporate users be able to log into the app without the need to create an additional B2C account (and using a federated B2C sign-in type). This would mean that I need an app in the B2C tenant and the Corporate tenant, and my single page application app would be protected by either app for any given user.
In other words, if you follow this link:
https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial#chapter-1-sign-in-a-user-to-your-application
it gives instructions for how to sign in with Azure AD, and how to sign in with Azure AD B2C. But how would I go about doing both at the same time?

Having more than one facebook login connector on B2C Azure login?

Azure AD B2C let you set up just one Facebook login. But what happens when you want to connect to the same b2c directory more than one web app. Facebook forces you to insert logo and policy.
If I have two web apps, I would need to have the chance to setup 2 different facebook logins with different policy and logo. I can do on facebook developer, but seems azure b2c supports just one.
is there a way to achieve that? Maybe using open id account?
Thanks.
You would need to add it as a custom OIDC provider. Or otherwise use custom policies where you can define as many as you like.

How to implement SSO in Node.JS Azure AD B2C

I have 4 Node.JS Application frontend angular with different domains, I have implemented Azure AD B2C
I need to implement SSO or Single Sign On in my applications
How can I set it up, what is the recommended way.
I checked https://github.com/AzureAD/passport-azure-ad
but there is no documentation on setting up SSO for Node.JS applications or sample codes.
Go to Azure AD B2C->User flows(policies)->find your sign in policy->properties->you will find the single sign-on configuration.
The default setting is tenant which allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one.
Reference:
Configure session behavior in Azure Active Directory B2C

Checking a user exists in Azure Active Directory B2C

I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.
The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?
Thanks in advance!
MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/
Sadly, it seems like this is not possible within the Azure B2C Preview.
From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.
Be careful with this, check if your site is not vulnerable to username enumeration:
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
Then the next time they can login through B2C

Resources