We have a web application implemented in Java/JSP and Azure AD single-sign-on authentication has been implemented using OpenID connect protocal. And the sign-in approach is working as expected, but the major issue is with sing-out. While signing out the user we are following the below approach.
1) User clicks sign-out button.
2) He will be redirected to application application sign-out page.
3) Clear the application session in sign-out page.
4) Then redirecting the user to Azure AD logout page, see below URL...
https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=our_application_sign_out_success_page
The above approach is working as expected, but the problem is, if user copy and paste above URL in the browser tab when the user have a valid session in another browser tab, his AD session is getting cleared.
But the expected behavior is, the logout should happen only when user clicks the sign_out button.
This is expected behavior, the server is not able to detect whether the request is sent from clicking or paste in the address bar and navigate manually. And the server should'n care where is the request from, it only do the job you told it.
And if you have other applications also using the Azure AD as the identity data provider, the sign-out request will not affect the other applications when you sign-out from your web application. Also if you want to implement the single sign-out, you have to implement LogoutUrl in the web application and register it on the Azure portal.(refer here)
Related
According to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-custom-policy. The profile edit flow will show the Sign-up or sign-in page, if there are no active session. If the session is active, then Azure AD B2C authorizes the user, and skips to the next step.
However, if I understand correctly, this 'session' would be in the form of a cookie right? If that's the case, what would happen with mobile apps?
Mobile app doesn't use cookies. After login in, they only have the id token, access token and refresher token. So if a user is logs in on an app, and then to do a profile edit flow, how would the app tell the browser that the user is already logged in?
If you are using the web view redirect flow, a cookie is set in the web view which then gives SSO for profile edit. You don’t need to configure anything in B2C to make it behave like this, it’s default.
I have a single claims provider in my Azure B2C custom policy - an SSO with our Azure Active Directory (AAD).
I can see that when there is only a single claims provider then B2C does not bother with presenting the B2C login page with only one button - rather it takes you directly to login with the only provider you have configured.
This presents me with the following problem because I, and many of my Company's users, am automatically logged in to the AAD. When I log out of the application that is secured by B2C the logic is to return to the B2C login page but instead it straight away logs me back in again.
What I would like is to log out and be presented with the login screen, rather than automatically being logged in again. I can change the app so that on logout you are actually redirected to a "you have been logged out" page, but this is not desirable.
How can I "force" the login page to show even though there's only one option available to the user?
In OpenID Connect you add prompt=login to force authentication when redirecting to the B2C Policy.
There is an equivalent parameter for SAML. I don't know if the built-in flows will propagate this, but if you are doing custom policy you certainly can go back to the federated identity provider and force authentication again.
See the prompt parameter here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,
But automatic sign in not working after browser close, Need to click 'Login' button.
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.
But I want to sign-in automatically if at the time of sign in KMSI check box checked.
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.
This is expected, your app cookie is not persisted, so the app has no idea you’re still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
This is my test process below:
Registering a local account.
Login by this account, and enabled KMSI
I logged in successfully:
Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about:
But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
As I enabled KMSI, so there is a cookie under my b2c domain:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :
Finally, it redirected to “Claim” page and this app knows who am I :
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.
Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users’ information to your app will make KMSI work.
In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.
I have an application that uses Azure B2C.
If the starting point for a user is my application, it's easy to add an external identity provider, such as Facebook or Google.
It would follow the standard OAuth flow of:
Go to my site
Click login
Get redirected to B2C
Click the Facebook button and log in
B2C returns authenticated user details to my site.
However, I now have the situation where my site is not the starting point.
The flow is:
User is logged in at 'Company A'
User clicks a button to go to my site
An authentication step occurs automatically
User is now authenticated on my site.
If I were in charge of Authentication (using ASP.NET Identity, for example), 'Company A' could call an API on my site with a single use code, I could send back the token. Then when the user was redirected, I could get that token back from 'Company A'.
However, not being in charge of the auth step, I'm having trouble.
I don't think we want to be using a SAML flow (different spec). The SSO Session Overview doesn't seem to be of much help. There might be something in custom policies that can do this, but I'm lost.
I think the doc I need might need is 'Pass an access token though a custom policy', but the fact they use Facebook in the example confuses me, as facebook wouldn't be calling Azure B2C, or Passing me anything about Facebook that I can use to send to B2C.
So, using Azure B2C, how can I get a user who is logged into another site to be logged in to my site automatically please?
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.