I'm using custom policies on my Azure AD B2C app. And I am using a custom UI passing a reference to a UI hosted on my server like this on my sign-up/sign-in policy:
<BuildingBlocks>
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://MyURL/index.html</LoadUri>
</ContentDefinition>
</ContentDefinitions>
</BuildingBlocks>
This is working. But now I want to add a HTML link element to my custom UI with the URL of my Privacy Policy and that element is not showing up when I execute my policy. Everything is showing up except that link.
Could it be some cache on Azure that is using the old custom UI? Or is something I'm missing?
Try:
<div id="api">
<!-- Leave this element empty because Azure AD B2C will insert content here. -->
</div>
<!-- URL goes here, outside of the API div above -->
Privacy policy
Related
I am currently creating sign-up(CombinedSignInAndSignUp) page using custom policies. I was wondering if it is possible to have a sign-up page with the social IDP selection (Facebook, Linkedin) and SignUpWithLogonEmailExchange button.
Based on the Social IDP you are selecting, you have to create different technical profiles for each.
Technical profiles are the mechanisms that are used to interact with the party (Facebook/LinkedIn) defined within ClaimsProvider definition whereas ClaimsProvider defines a party that the custom policy interacts with.
To configure LinkedIn as an identity provider:
In the extension file of your policy, define a LinkedIn account as a claims provider by adding it to the ClaimsProviders element.
Open the SocialAndLocalAccounts/TrustFrameworkExtensions.xml file in your editor and find ClaimsProviders element
If ClaimsProviders element does not exist, add it under the root element
Add a new ClaimsProvider
Replace the value of client_id with the client ID of the LinkedIn application and Save.
To configure Facebook as an identity provider:
In the SocialAndLocalAccounts/TrustFrameworkExtensions.xml file, replace the value of client_id with the Facebook application ID:
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<!--Replace the value of client_id in this technical profile with the Facebook app ID"-->
<Item Key="client_id">00000000000000</Item>
Please find below links if they are helpful,
References:
Ref1
Ref2, Ref3, Ref4
I have two different redirect URIs in my webapp like localhost:4200 and localhost:4201. Trying to have single-sign-on for these two. Based on this document https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior, I
changed my session behavior and SSO configurations and added a UserJourneyBehaviors element inside of the RelyingParty element. It still asking to sign-in localhost:4201, though i have signed in localhost:4200
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant"/>
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
This is the Azure B2C User Flow’s Application claims, where I can tick the Email Addresses and save it.
UserFlow Application Claims
How can I do this in custom policy? I am trying to add Multi-Tenant login to AAD B2C via custom policies and I need to select this ‘Email Addresses’ in the Application Claims from User Flow.
How can I select or activate this same ‘Email Addresses’ in custom policy XML files?
So far I tried adding -->> OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" <<-- to the technical profiles, but still no luck.
The claim you want is "preferred_username".
Try to add <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" />.
I am using custom policies and I have defined the location of the custom exception page as follows:
<ContentDefinition Id="api.error">
<LoadUri>https://{Settings:BlobStorageAccount}.blob.core.windows.net/{Settings:BlobContainer}/html/global_exception.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:globalexception:1.2.0</DataUri>
<Metadata>
<Item Key="DisplayName">Error page</Item>
</Metadata>
</ContentDefinition>
However, how do you go about triggering an internal API exception within Azure AD B2C to see this page in action? I tried also using a default user policy and adjust the location but there doesn't seem to be a way to view the page that way as well.
You can set the client_id parameter in the authorization request to an unknown value where this should display the error page with the following text:
AADB2C90018: The client id '<client_id>' specified in the request is not registered in tenant '<your_tenant_name>.onmicrosoft.com'.
I implemented the steps in the example - all worked as expect to this point - and then I followed the instructions to enable KMSI.
When testing Identity Experience Framework->Custom Policies->B2C_1A_signup_signin ->Run , I can switch on the tickbox "Keep me signed in" when signing in. However, I close this window (or keep it open for that matter), Run the custom policy again and asks me to sign in again ("Keep me signed in" shows unticked).
I have triple checked the changes in the tutorial and example and can't see any difference (other than in the example I don't have LoadURI and RecoveryURI.
I note I have not made changes as per ContentDefinitions and only followed the instructions in enable KMSI because I didn't think that was a requirement in the tutorial.
Please give me some guidance what may be wrong. Thank you for your help
You are using a wrong method to test the KMSI feature.
If you "Run the custom policy again", it will always ask you to reenter your credential, which is by-design.
You should follow the steps of Test your policy.
You can close the window after you sign in for the first time.
And then follow the step 4, 5 and 6:
Go back to the Azure portal. Go to the policy page, and then select Copy to copy the sign-in URL.
In the browser address bar, remove the &prompt=login query string parameter, which forces the user to enter their credentials on that
request.
In the browser, click Go. Now Azure AD B2C will issue an access token without prompting you to sign-in again.
UPDATE:
You don't need to replace the SignUpOrSignin.xml and TrustFrameworkExtensions.xml. Just refer to my changes:
Add the following code snippet into the BuildingBlocks element in TrustFrameworkExtensions.xml.
<ContentDefinitions>
<ContentDefinition Id="api.signuporsignin">
<LoadUri>~/tenant/default/unified.cshtml</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:unifiedssp:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Signin and Signup</Item>
</Metadata>
</ContentDefinition>
</ContentDefinitions>
And then add the following node as a child of the element. It must be located immediately after <DefaultUserJourney ReferenceId="User journey Id" />.
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
</UserJourneyBehaviors>
These are all the changes need to be made.
You don't need to remove &prompt=login in the files. Please see my screenshot above. After you copy the sign-in URL, it will be like this:
https://**.b2clogin.com/**.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SignUpOrSignIn&client_id=**&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login
Just remove the &prompt=login at the end of the URL and access it in a new window.