I have 2 sites using Azure AD B2c for authentication. One site is embedded in the other using an iFrame. Independently, auth works fine for each, but when inside an iframe, the site is unable to access the login page because it disallows iframes. I really just need SSO to work but I can't find any documentation on how to do this.
We already faced this topic and were not able to solve it directly.
Right now / during preview this is not supported.
You really have to put your sign in / sign up web pages into B2C custom templates (to have your desired look and feel) and forward to the respective policies from your web site.
Related
I am new to Azure AD. I have to implement two websites which uses Azure Single Sign On feature to login. I have gone through few documents and blogs but it wasn't helpful enough. Could anyone suggest me a relevant document or approach for beginners.
This approach I am using:
I made a new tenant.
Made a app in app registration
Assigned the users through Enterprise Application changes
But now i have to add another website to webapp and then make sure if user logs in anyone of those then it should automatically get logged in other website as well.
When you have multiple applications in your organization, it's better to use Azure AD and you are on the right path.
To configure an application for SSO there are multiple ways. Based on your requirement you can choose any SSO protocol from below for authentication.
There are protocols like OpenID Connect, OAuth, SAML, password-based etc. to configure SSO.
As you have two websites, register two webapps in Azure AD and configure SSO
While registering the webapps, make sure to add redirect URI or Reply URLs of those two websites respectively.
Make sure both webapps are using same SSO protocol.
As mentioned in the comment by #Anand Sowmithiran, while the user is authenticating, the login flow will detect that user is already authenticated and will provide the token seamlessly.
For more in detail, please refer below links to get some idea:
Can I use Azure for SSO to multiple websites - Microsoft Q&A
single sign on - SSO with multiple azure web apps - Stack Overflow
Azure AD B2C let you set up just one Facebook login. But what happens when you want to connect to the same b2c directory more than one web app. Facebook forces you to insert logo and policy.
If I have two web apps, I would need to have the chance to setup 2 different facebook logins with different policy and logo. I can do on facebook developer, but seems azure b2c supports just one.
is there a way to achieve that? Maybe using open id account?
Thanks.
You would need to add it as a custom OIDC provider. Or otherwise use custom policies where you can define as many as you like.
I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app
I'm building an ASP Net Core 2.1 website using Azure AD B2C based on this example code. However, I am using the Microsoft-recommended b2clogin.com domain because the microsoftonline.com domain is being deprecated.
During signup, after the identity provider authenticates successfully, it should redirect the user to an Azure AD B2C generated page where the user fills in some additional fields. Those fields drawn from the standard attributes offered by Azure AD B2C (i.e., I haven't defined any custom attributes). Everything works as expected with Microsoft Account authentication.
However, when authenticating against Google, there is no redirect back to that Azure AD B2C generated page. Instead, the user is sent to the default page of the site.
I thought I set the proper redirect uri in the Google Cloud Console:
But since the redirect is not working, I'm wondering if I need to set it somewhere else.
Turns out the problem was caused by the fact that I had completely filled out the custom attributes page when logging in via the Google identity provider, but not the Microsoft Account identity provider. So all Google cared about was authenticating me, and then tossing me back to my app.
Microsoft, OTOH, needed me to fill out all the required custom fields, so it sent me to the custom attribute page.
I had mistakenly assumed authentication always took me to the custom attribute page, but that's not the case.
I am using Azure 'B2C', and users are creating successfully in B2C. And I am using dynamic web apps. ie, there is number of web apps are present.
sssss01.example.com
sss2.example.com
wwwss2.example.com........
When a user want to login using B2C, it's successfully login, but it reply url is not correct. I checked in azure, B2C app not supporting wildcard(*). So Is there any option to add wildcard, or any other method to manage pragmatically ?
Sign in reply url is different for different web apps.
Wildcard redirect URLs are not supported in OAuth2. See: why are redirect URLs fully qualified.
Unfortunately, we can't manage B2C programmatically.
You can upvote this item on User Voice and subscribe to stay updated: https://feedback.azure.com/forums/169401-azure-active-directory
Others have suggested this same feature but the User Voice forum appears to be down right now.