I need to provide IdP (SAML 2.0) the SingleLogoutService Location of our Azure B2C tenant, i.e., something like
<md:EntityDescriptor …
<md:SPSSODescriptor …
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://login.microsoftonline.com/<TENANT>.onmicrosoft.com/saml2" />
What would that Location be? I was able to figure out the ACS which is
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/te/<TENANT>.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer"
index="1" isDefault="true"/>
I assume the Single Logout Service is something similar but cannot find any reference what it would be.
You can get the Azure AD B2C metadata at:
https://login.microsoftonline.com/te/<tenant>/<policy>/samlp/metadata
The Single Logout service location should be:
https://login.microsoftonline.com/te/<tenant>/<policy>/samlp/sso/logout
Related
I have an AAD B2C custom policy that has AAD and Microsoft as claims providers, I have tried adding "picture" as an output claim, but that doesn't work.
<OutputClaim ClaimTypeReferenceId="picture" PartnerClaimType="picture" />
Simply doing this for Google as the claims provider does work. What can I do to have a claim that will output the picture url in the token for AAD and Microsoft?
I've tried "force password reset on user logon" custom policies, it works fine.
We're passing the below Graph API parameter for user a/c create,
"passwordPolicies": "DisablePasswordExpiration"
In SSPR feature,
May I know the default password policy, please?
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy explains the default password expiry duration is 90 days. I'm using B2C custom policies, does this SSPR default 90 days not applicable for B2C Local Accounts?
SSPR policy for standard AD users and SSPR B2C tenant user are different? Could someone please clarify this?
Password expiry duration (Maximum password age)
Default value: 90 days.
The value is configurable by using the Set-MsolPasswordPolicy cmdlet from the Azure Active Directory Module for Windows PowerShell.
Thanks.
• Yes, the SSPR policy for the Azure AD and Azure AD B2C tenants are different from eachother because Azure AD is specifically meant for managing an organization’s internal environment, i.e., its users and applications for internal organizational purpose while Azure AD B2C is meant for hosting client facing applications and web apps and customize them accordingly including authentication and other features.
• Also, as you can customize the password reset policy in Azure AD B2C, only the password complexity is defined to be as default while there is no mention for the password expiration as a default value in Azure AD B2C custom default values. You can find the below example for your reference. Below is mentioned the reference for a building block example of password complexity in Azure AD B2C custom policy which is considered as default.
‘ <!--
<BuildingBlocks>-->
<Predicates>
<Predicate Id="LengthRange" Method="IsLengthRange">
<UserHelpText>The password must be between 6 and 64 characters.</UserHelpText>
<Parameters>
<Parameter Id="Minimum">6</Parameter>
<Parameter Id="Maximum">64</Parameter>
</Parameters>
</Predicate>
<Predicate Id="Lowercase" Method="IncludesCharacters">
<UserHelpText>a lowercase letter</UserHelpText>
<Parameters>
<Parameter Id="CharacterSet">a-z</Parameter>
</Parameters>
</Predicate>
<Predicate Id="Uppercase" Method="IncludesCharacters">
<UserHelpText>an uppercase letter</UserHelpText>
<Parameters>
<Parameter Id="CharacterSet">A-Z</Parameter>
</Parameters>
</Predicate>
<Predicate Id="Number" Method="IncludesCharacters">
<UserHelpText>a digit</UserHelpText>
<Parameters>
<Parameter Id="CharacterSet">0-9</Parameter>
</Parameters>
</Predicate>
<Predicate Id="Symbol" Method="IncludesCharacters">
<UserHelpText>a symbol</UserHelpText>
<Parameters>
<Parameter Id="CharacterSet">##$%^&*\-_+=[]{}|\\:',.?/`~"();!
</Parameter>
</Parameters>
</Predicate>
</Predicates>
<!--
</BuildingBlocks>--> ‘
Thus, you can design your own SSPR user flow in Azure AD B2C using custom policy and the user flow that will be defined. Please find the below links for more information: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#password-reset-policy-legacy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/aad-sspr-technical-profile
I'm trying to create an Azure API Management policy to validate JWT token. This token comes from our Azure Devops release pipeline. Does anyone know what the correct openid-config url is?
Here is a sample I took out from microsoft docs:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration" />
<audiences>
<audience>25eef6e4-c905-4a07-8eb4-0d08d5df8b3f</audience>
</audiences>
<required-claims>
<claim name="id" match="all">
<value>insert claim here</value>
</claim>
</required-claims>
</validate-jwt>
As far as I know, the openid-config url is independent of whether it came from devops.
If you use Azure AD, you can use https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration(for v1 endpoint) as openid-config url. And you can also use https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration(for v2 endpoint) as openid-config url. You can refer to this document.
But if you don't use Azure AD, you need to find the openid-configuration by yourself.
Not sure if this is the right place to ask but... We have an older application that is set up to use SSO, currently Azure ADFS. I want to use login.microsoft.com url instead of our organizational url that has been used in the past.
I replaced the currently working links in web.config with the endpoints from Azure
<appSettings>
<add key="FederationMetadataLocation" value="https://login.microsoftonline.com/dfmi.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>
and
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://login.microsoftonline.com/0845a734g7-6d23-7c96-9f4x-3427v39n4sd5/wsfed/" realm="https://customdfmi.dfmi.net/" requireHttps="true" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
I get to the sign-in page. When I put in the credentials it shows "AADSTS700016: Application with identifier 'https://customdfmi.dfmi.net/' was not found in the directory".
It is set up in Azure. Redirect URI is the exact copy of what's in web.config. What am I putting wrong in web.config? Do I need to put the Application ID somewhere in it? Any pointers would be great. Thanks!
Did you received this message?
AADSTS700016
UnauthorizedClient_DoesNotMatchRequest - The application wasn't found in the directory/tenant.
This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the identifier value for the application or sent your authentication request to the wrong tenant.
AD FS is configured with custom policies as a claims provider on Azure AD B2C using either WS-Federation and SAML 1.1 or SAML 2.0.
Do Azure AD B2C expose a metadata endpoint as relying party which can be used by the AD FS when configuring Azure AD B2C as relying party?
I'm interested in both WS-Federation/SAML and SAML 2.0 metadata.
** Edited **
The following metadata url do not work: https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata
When the metadata is called the following error is returned:
Azure AD B2C does expose a metadata endpoint when using Custom Policies.
It can be found at this URL:
https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata
EDIT: B2C as a SAML RP is not officially supported at this time, however it is possible to enable it via custom policies. If you are interested in this feature, make sure to vote for it in order to support it and get updates on its progress.
There is no good documentation on how to do this outside of these docs:
Outdated walkthrough, compliment it with the StackOverflow posts below.
Azure Active Directory - Custom Policy Error
Issue when calling New-CpimCertificate for Azure AD B2C custom policy
At the moment of writing SAML2 metadata endpoint works with this idptp=TechnicalProfile-id variabel:
https://login.microsoftonline.com/te/<yourtenant>.onmicrosoft.com/b2c_1a_<yourpolicy>/Samlp/metadata?idptp=<TechnicalProfile-id>
This TechnicalProfile must have the following definitions:
<Protocol Name="SAML2"/>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_ADFSSamlCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_ADFSSamlCert"/>
</CryptographicKeys>
P.S. Microsoft should really document these features.