I am using Azure B2C to connect my own openid connect server using OpenID onnect (Preview) provider. I configured every thing, system is working fine.
But one thing is when a new user logs in through my own openid connect server, Azure AD B2C creates this user in Azure AD which is connected to Azure B2C.
My intention is that, My client application has to call Azure B2C. Azure B2C should display list of identity providers. one among those providers is my own openid connect server. Then user can input his credential in my own openid connect server and verified and return back to Azure B2C with id_token. after this step Azure AD B2C is asking me to create this user in Azure AD. why this is happening ?
I cannot provide my user details to any intermediate systems. Please help me on this.
The same scenario is happening for gmail users also. but only first time login or when we change some signin policy attributes.
Based on my experience, even for externally authenticated users (social sign-in) AAD B2C always creates an object in its local store (which is actually an Azure AD directory). I can't speak authoritatively, but a couple of reasons for this would be 1) the ability to generate and maintain an immutable ID for a user that is somewhat independent of the social IdP, and 2) the ability to collect and store additional attributes which are not available from the social IdP.
I believe you can make the process invisible to your users - they don't necessarily have to be prompted to enter additional attributes or to create a user - but it will still happen in the background.
Related
We are trying to use Azure B2C for a use case where we did not find much information. The idea is that several partners, each with their corresponding IdPs, will embed in their web and mobile applications our platform.
This platform can be consumed via API or via WebView, depending on the maturity of our partners' applications. Partners want to federate their IdPs with our Azure B2C with OIDC.
The problem comes with the user experience that we are proposing. The user is facing a double login with the same credentials. One time when entering the partner's app and a second time when entering the tab of our functionality inside the partner's app (our B2C redirecting by OIDC to the partner's IdP).
Is it possible to do this flow without the user re-entering his credentials inside each partner's app to access our services?
I am working on setting up Tableau server. I want end users who login with their Azure AD B2C credentials to see some of the visualizations we build in Tableau.
While setting up Tableau, I noticed that Tableau works with Azure AD Domain services only. Two of our user groups in Azure AD is synched with ADDS. So I am able to add those users to Tableau.
However, I do not see similar synchronization option between ADDS and AD B2C.
Question: ADDS is only for Azure AD and not for AD B2C? Any suggestions to achieve my goal mentioned in first two lines?
From official documentation
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
it is meant as a mean to help customer that are using active directory on premise to migrate their domain controllers to Azure domain services and still support authentication and traditional management using OU, LDAPS and Kerberos.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud
Azure B2C
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page (SPA), and other applications.
basically this is meant to support modern authentication for applications using OIDS,OAuth2, SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/#:~:text=Azure%20Active%20Directory%20B2C%20(Azure,SPA)%2C%20and%20other%20applications.
so you cannot use AADS (Active Directory) to manage B2C authentications.
to configure Tableau with Azure Active Directory I suggest you use SAML as described in official documentation:
Tableau SAML
https://help.tableau.com/current/server/en-us/saml.htm
Azure B2C SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
you should have something like the below
User navigates to the Tableau Server sign-in page or clicks a published workbook URL.
Tableau Server starts the authentication process by redirecting the client to the configured IdP (Azure B2C).
Azure B2C requests the user’s username and password from the user. After the user submits valid credentials, Azure B2C authenticates the user.
Azure B2C returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Server.
5.Tableau Server verifies that the username in the SAML Response matches a licensed user stored in the Tableau Server Repository. If a match is verified, then Tableau Server responds to the client with the requested content
I have the following scenario:
On-prem SQL SSO database exists that manages usernames and password (salted and hashed).
Azure AD B2C in the cloud for local accounts (usernames and passwords).
I would like to have both systems stay in sync. So, when a user requests a password reset from the on-prem SSO database, it will salt and hash the password, and then transmit that password to Azure AD B2C. Similarly, if the user requests a password reset from Azure AD B2C it will salt and hash that password back down to the on-prem database as well, if possible; I can imagine a scenario where this simply isn't possible in which case it would be OK if the hash value of the password is stored and we can assign a secondary column for "authentication_method" which will allow other client apps to still authenticate. If a new user signs-up on either side, then the appropriate record is created in both systems for local accounts only.
How can I go about implementing such a flow? What kind of documentation would be helpful here from the AD B2C side? Are there other synchronization tools available for this scenario?
I can imagine something like Apache Kafka or some script to sync data back and forth, but I am not sure about the specifics on the B2C side of how to get the password. I'm sure I've seen some documentation on how to update the user's password for the first scenario of on-prem to cloud, but lack information on how to go from cloud to on-prem.
The purpose of this is to support a newer application to leverage B2C, but still allow older apps to work without having to update them to B2C.
Password HashSync to Azure AD B2C is not supported. There are a couple of moving parts in your scenario that needs to be addressed.
The Azure AD B2C to SSO Database: You can use REST-API that Azure B2C custom policy calls from its custom policy, which acts as a broker to authenticate (username, password). Since you are using local accounts with Azure AD B2C this should work as long as your backend can authenticate the user using username/password. There is no sync needed but until the SSO database goes away you need to keep using the REST-API. Essentially, you want to use a single source of truth. This approach is similar to the pattern describe here.
On the Azure AD B2C side, you can update the password for a local user account using Microsoft Graph API. This opens up the door to update the password from your on-prem system to Azure AD B2C as needed. Of course, Azure AD B2C hash the password itself but you don't have access to it.
Either way, you need to evaluate the pros and cons.
I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info