I have an application that uses oauth to sign user in with my azure ad b2c tenant . Now i want that my app has a button that links the user to third party application from my website and i want to authenticate that user to third party application using SAML with my azure b2c tanent acting as idp and sending saml to third party on user's button click.
Is this scenario possible. ???
Yes, it is possible. What you mean is SAML as RP.
In SAML as RP case,
B2C acts as IDP
B2C accepts SAML requests
B2C sends SAML assertions as output
I can help you if you stuck anywhere...
Yes you can do this with B2C custom policies.
Your logon page will now have two buttons:
Normal B2C auth
SAML auth to third party
Related
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
Trying to setup a custom policy in my Azure AD B2C tenant, I need to communicate to an external IDP using SAML IDP initiated, so client can navigate to their dashboard and click to "my app" that goes against my B2C tenant, and authenticates the user and gets send to my application using OpenIdConnect, it is required to me to get it integrated using SAML between my client's dahsboard and my B2C tenant
I used this article as based to create my custom policy using SAML. As SP initiated (through my app in azure ad b2c) works, but now I need to get it working using IDP initiated.
Also found this idp-initiated sample, but here I got 2 problems:
This is setting up "my app" as SAML application (protocol in my RelyingParty, not what I want)
If I change that one to use "OpenIdConnect" which is desired in my RelyingParty I get the following error in my logs:
Policy '< myPolicyName >' in tenant '< myTenant >' does not have a
supported relying party protocol"
So wondering in this point, is this something that's supported? I also got this unsupported-saml-modalities from the documentation and the last bullet point says:
Identity provider-initiated sign-on, where the identity provider is Azure AD B2C.
So, not really sure if what I'm trying to accomplish is something valid, any help?
It’s not possible, an Idp initiated flow cannot respond to an OIDC relying party, only a SAML relying party.
Secondly, as the doc states, the IdP must be B2C, and will not work for an external IdP federated to B2C.
We have an application using Azure AD B2C which gets user claims as JWT. We have a requirement to integrate Oracle Finance app within the application using Single Sign On (SSO).
Basically, I tried the steps in the following document and was able to get SAML assertion:
Register a SAML application in Azure AD B2C
But the above would require users to sign in again using B2C. We want the signed in users to be able to reach Oracle Finance application without logging in again.
Is it possible to convert the received JWT token into SAML assertion to be passed to Oracle application?
By default, if you login to one OIDC app via B2C policy, then try to login to a SAML App, you will automatically get SSO as long as the Identity Provider used to sign in is available in both policies. Make sure you are not passing any prompt parameter or forceauthn parameter to B2C.
I have a B2C successfully logging in to a B2C. B2C is configured to use a SAML IdP, which it does on login. However, a logout message to B2C results in B2C calling back to the application's logout url but not to the SAML IdP. The user thus effectively stays signed to the IdP and is never re-challenged on new logins to the B2C. Is there something that needs to be setup in the policy for that?
In my own experience, single sign-out is only supported by Azure AD B2C for the Microsoft Account identity provider (where the identity provider session is ended using a hidden iframe), not for any other identity providers.
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.