Social identity auth using Azure AD B2C for Google doesn't show permission request page but Facebook does.
Does anyone know why this is happening? Am i missing something here.
Azure AD B2C does not require consent.
The only consent experience you might go through in Azure AD B2C is when signing up / signing in with social accounts.
As part of setting up a social IdP in Azure AD B2C, you must register an application in the social IdP (see this example on how to do it for Facebook). Users will have to consent to that app in their social IdP the very first time the sign in. This consent enforced and maintained by the social IdP, so even if you delete the user in Azure AD B2C, recreating the user in Azure AD B2C using the same app registration will not re-trigger consent.
Related
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.
When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.
What are my options?
Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.
The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.
I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:
<UserJourneys>
<UserJourney Id="SignUpOrSignInPolicyA">
...
</UserJourney>
<UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
...
<RelyingParty>
So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.
Is there a back-end API available to programatically authenticate the external user against the Azure AD B2C instance by passing in the user credentials from within a MVC web application (without showing the login page) as we do from a Native Client like console application?
Authentication through a back-api that accepts user credentials is achieved through the OAuth Resource Owner Password Grant.
Azure AD B2C does not support the "Resource Owner Password Grant" yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.