I'm building a webapp that uses Azure AD B2C authentication. I'd like to implement a feature such that any new user signing up always lands at a specific controller action. How should I configure my policies to ensure this. For example /account/newuser should be invoked everytime a new signup policy is executed.
Also, if I have the [Authorize] attribute set for an action and a new user lands there, how can i ensure that the sign up, not the sign in policy is executed?
There is a built-in claim "newUser" that you can select in the 'Signup'/'sign-up or sign-in' policy that is made exactly for this scenario.
This claim will be returned only once after the user sign-up. You can inspect the claim once the user get redirected to your application and if this claim exists with a value of "true" then redirect your user to the specific controller.
In your Azure B2C directory, select your sign-up policy --> Edit --> Application Claims then check the "User is new" as in the image below:
Related
I need to configure a SignIn (no SignUp) custom policy on an AAD B2C tenant, but I'm lacking the experience of the IEF to design/develop and test it properly. The policy should read (logically) as follows:
Present UI to user to enter email only (using a self-asserted TP?)
Use custom logic to determine whether the user represents a local account or to any of the known clients of ours. A single client could have multiple possible domains to be authenticated in the same IdP. The only option I know for doing this step is an external REST service, but this is something I would like to avoid if there is any other option to include custom login running inside the custom policy engine, using C#, JS, or event a simple dictionary from email domain to IdP domain.
Depending on the IdP automatically selected in step 2, branch to different journeys where the user will be sign-in
For local-account sign-in journey, the user will need to use MFA if he/she belongs to admin group. Only email, DisplayName, FirstName, LastName and UserId are needed as final claims.
For other IdPs I would have to add ClaimProviders and sub-journeys to allow for signing the users in
Finally the JWT Token should be issued to the relying party.
No storing back to AAD storage is required because there is no sign-up process. User are created from the application and invited (if local account) or already exist in their corresponding IdPs.
The wording you should look into is "home realm discovery".
There is a custom policy example on GitHub. However this example requires the application to provide the email hint. You need to extend it in a way that captures the email in a self-asserted step.
For scenarios where you need to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
In this example, users who enter an email with the suffix contoso.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Azure AD (SAML2).
Users who enter an email with the suffix facebook.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Facebook (OAuth).
Where a user comes from an unknown email suffix, they will be redirected directly to a default identity provider, in this case that is Azure AD (OpenId).
This is another sample.
It first asks for the domain and then redirects to the appropriate IDP.
To add IDP, refer to this.
For MFA, start with the MFA starter pack.
I'm struggling to find an example of this or how to do it, I'm sure that it's possible. Below the the scenario
User directed to to custom policy
User asked for email address
Policy then checks the email address against a database (via Azure Function). This function will return the provider to use. At the moment either https://login.microsoftonline.com/organizations or b2c
If the function returns https://login.microsoftonline.com/organizations then direct to Microsoft Sign in (passing email as hint so it's already filled in). This will then return back to the B2C signin flow
If B2C is returned then authentication is carried out by the B2C
Once user is authenticated via microsoftonline or B2C returned to app as normal
I know that external functions can be called from a custom signin policy. However, it's the user journey where it will send of to microsoftonline to sign in or carry on with the normal B2C flow that I'm struggling with. This artical is close https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga, however, I want this choice to be made dynamically based on return value from an Azure Function.
Hopefully, someone will understand what I'm talking about
We call this home realm discovery, see this sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/default-home-realm-discovery
The sample uses a lookup inside the B2C policy itself, with a claims transformation. But you could swap that out for a REST APi instead if needed.
We have a scenario where a logged-in user (SFA, authentication has been done by Azure policies) needs to do some high-value transactions.
To allow this, we need to throw an additional authentication challenge. (MFA)
If the user access was successful we need to enrich the token somehow to read in on the client-side.
Tried to use scopes for this scenario but as they set per application couldn't make it happen, any thoughts on how it can be implemented in Azure b2c?
Thanks
The usual approach is for the application to look at the "acr" claim. This claim tells the app which B2C Auth policy the user has last arrived with. Therefore, in your app implement this logic:
User clicks high risk item
App checks current token "acr" claim
If acr != "B2C_1_MFA", then redirect the user to authenticate via a sign in/up policy that has MFA enabled
You need to create a sign in/up policy with MFA enabled and the above logic to get this to work. The App only needs to know about the policy name to know if the authentication challenges have been satisfied.
If the user has already logged in when this B2C policy is executed, the built in Single Sign On will skip the user having to enter their credentials again, and instead will just need to complete the MFA step.
I have a multiple applications that use the same custom policy to authenticate user. In TrustFrameworkExtensions I defined two claims provider, one for local account and one for user of my company AD tenant (social account) , I have also a claims provider for retrieve custom attributes and for check if the user is enabled for the caller application, this claims provider is configured in user jorney like a orchestration step before the JWT token is created.
The API Application return claims with custom attributes if the user is enabled and return a response with HttpStatusCode.Conflict and error message if not.
How can show the error message in the login form before it back to the calling application?
PS: I have a custom UI login form
UPDATE
I found a right technical profile "SelfAsserted-LocalAccountSignin" and now works ! But I have 2 more questions.
1. In my api application, in input claims, extension property are missing , I think it's because the user not logged yet, is it possible obtain all claims ? If this isn't possibile I must read data in my api with Graph
by signinName.
2. My login form allows authentication as a local user and as a user of my company AD tenant (social account).
The ValidationTechnicalProfiles in "SelfAsserted-LocalAccountSignin"
works with local user only, I tried to configure a ValidationTechnicalProfiles for "SM-SocialLogin" TechnicalProfile but doesn't work
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..