I'm aware of the limitation of B2C that dictates that it doesn't support
Daemons/Server Side Apps applications authenticating with non-interaction.
https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/
In my case,
I have a user on my application whom is available to enter their details but i want complete control of the Journey, i don't want to have to redirect to https://login.microsoftonline.com etc... to acquire the token.
I know the B2C Azure portal allows you to provide a static HTML page as a template for the login page, but this isn't good enough for my scenario.
My guess is this isn't currently supported but eventually will be.
I think that is not possible due to the nature of the service. Full control of the pipeline is possible when you use the service that provides such capabilities out of the box. Here, it is more like that user is "isolated" from some of the boilerplate functionality which is the benefit sometimes.
If you need to have a full control, i think that you will need to use something like Windows Identity Foundation and federated authentication which may be customized.
The type of authentication you are asking for is the resource owner password credentials. Right now, it is in scoping and they said it will be released by summer 2017. Note: Supports only for local accounts, not any external providers like FB, Google etc..
For more details https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13817784-add-support-for-resource-owner-password-credential
You can upvote and let the team work on it
Related
I am currently developing an Azure Web App, which uses the Microsoft identity platform. Everything works fine as a single- and multi-tenant application. I only have one big problem, where I did not find any good solution, or at least best practices.
I would like the application to support multiple tenants. This means that I definitely need a multi-tenant application. Anyways, this allows ALL Microsoft users to access my Web App, which I highly do not want. The business plan is as follows: Businesses buy the subscription/product and then gain access to the application (initially manually).
At first I thought that there might be some sort of setting in Azure to manually white-/blacklist certain tenants directly in the portal. I did not find anything regarding this, but maybe I missed it.
My second thought is, that I have to implement the logic in the server directly. This should not be a problem, but are there already any existing resources you can use, regarding this? My idea was that after/before each redirect to a page, the server checks the database, if the tenant is allowed to visit the page. If not, a redirect to a "You are not allowed to visit this page!" page should happen.
Did I miss anything major here? I am 100% certain, that this is a somewhat common use-case and therefore am baffled that I did not find anything relevant regarding this.
Single-tenant applications can be accessed only by users who have an organizational account in the same AAD where the application is registered. Multi-tenant applications can on the other hand be accessed by anyone who has a valid organizational account.
The first time you try to authenticate to a multi-tenant application it isn't registered with your organization's AAD. You have to trigger the consent flow which will allow the user to login with their organizational account and grant the application the necessary permissions.
One way to solve your problem is by restricting access to tenants in Azure Active Directory. Check this document for detailed information.
Another way is by setting up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C. Check this document for more information.
We have a simple scenario but technologies(or implementation) have made things bit complex -
We have Sitecore as CMS for client's main web site and for business functionality we have Dynamics 365 Portal and we are using Azure AD B2C as identity provider for both.
We have heavily customised B2C custom policy to cater specific requirements.
We are using same custom policy in Sitecore and in Dynamics 365 Portals so sign in individually and works perfect without any issues.
With regards to SSO, we have kept the configuration as OOTB as you can find it here.
Only 1 or 2 user journeys are absolutely perfect as good as seamless journeys. In specific journeys we need user to be logged in both ends to make it work (we can force user to go to sign in page, but it is not required on all the pages).
In order to understand how real and proper SSO should work in Azure AD B2C, I have no idea or experience to relate this process to. so I am looking for guidance and help here.
I found very good information in this about how B2C works in terms of signin and providing tokens process but it bit old question and things have changed a lot since then specifically UI and some of the operations.
Use the following docs when configuring sessions management for a custom policy. Session Behavior section is where you define which SSO behavior. Specifically:
<SingleSignOn Scope="Application" />
If you want your users to get SSO between all applications, then define this value as "Tenant". There are several useful scenarios in creating separation between sessions - such as a company that has multiple brands that do not want to conflict each other. Or a separation of experiences.
Follow the exact format and location to be placed in your policy or you will not get the desired result.
Another concept that is important is the understanding the session provider:
SSO session management has two parts. The first deals with the user's interactions directly with Azure AD B2C and the other deals with the user's interactions with external parties such as Facebook. Azure AD B2C does not override or bypass SSO sessions that might be held by external parties. Rather the route through Azure AD B2C to get to the external party is “remembered”, avoiding the need to reprompt the user to select their social or enterprise identity provider. The ultimate SSO decision remains with the external party.
Session providers are used to define maintain what goes into generating the session when your policy is being executed (inside the Identity Experience Framework). If marked incorrectly, this could lead to undesirable results such as wrong claims being sent, additional MFA prompts, parts of your policy not being maintained when ran or just general errors.
This is for those who are interested in how we achieved this -
Sitecore also does offer OOTB Azure AD B2C configuration however the supplier of Sitecore delivery side decided not to use OOTB configuration approach and hence it caused lot of issues. From what I have read about Sitecore configuration for Azure AD B2C it does work smoothly with B2C with careful configuration.
Work Around: We had to rely on external triggers(e.g. cookie) which will indicate and trigger that a user has signed on either sides and accordingly the sign in process on both side kicks off.
Is it possible to authenticate a user programatically in Azure AD B2C without using the https://login.microsoftonline.com endpoint?
It's coming but not yet available: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13817784-add-support-for-resource-owner-password-credential.
Or maybe the UserVoice thread is out of date? https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
It's a preview feature at the moment, so not exactly recommended for production use.
B2C moves forward pretty fast though so I doubt it'll take long to get a proper release.
Do remember that it will only support local accounts, not accounts from e.g. Facebook etc.
I also try to discourage people from using this flow as it means the users must give their passwords to your app, instead of the identity provider as normal.
I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.
The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?
Thanks in advance!
MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/
Sadly, it seems like this is not possible within the Azure B2C Preview.
From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.
Be careful with this, check if your site is not vulnerable to username enumeration:
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
Then the next time they can login through B2C
I'm looking into the new Azure AD B2C service. It allows customization of the sign-up experience, but I don't see any option to incorporate a CAPTCHA.
This TechNet blog post says the service performs some kind of "anomaly detection" during sign up, but doesn't specifically claim to be actively detecting and blocking robots.
Is anti-robot testing somehow provided automatically, without any additional steps for the user, or if not, how can I customize the experience to incorporate a CAPTCHA?
Today the UX customization in B2C is purely for allowing you to match the look and feel of your apps, but AFAIK there is no ay of introducing active elements (e.g. anything that would run code). The service does provide email verification checks, but I can see how you might want to have something more specific. I will flag this thread with our B2C expert to see if there's anything more that can be shared at this time.