Showing posts with label azure-ad-b2c. Show all posts
Showing posts with label azure-ad-b2c. Show all posts

Thursday, October 20, 2022

[FIXED] How to pass and validate the signInEmail claim during External IDP login using Azure B2C custom policy?

      , , , ,      No comments   

Issue

This question is related to this one.

What we'd like to do is: at the moment the user clicks the button like Facebook OR Microsoft account OR Corporate AD in the Sign in page, call a validation technical profile to validate the email address the user is using to sign in.

I tried adding an OrchestrationStep like this:

<OrchestrationStep Order="4" 
  Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimEquals" 
      ExecuteActionsIf="false">
      <Value>idp</Value>
      <Value>CorporateAD</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="FetchMoreClaimsExchange" 
      TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
  </ClaimsExchanges>
</OrchestrationStep>

This is actually calling REST-ValidateSignInEmail because I see an error returned in the URL like this:

https://mywebsite.azurewebsites.net/#error=server_error&error_description=AADB2C%3a++is+disabled.%0d%0aCorrelation+ID%3a+bce3fd82-1111-4f17-ad99-ef7770ed8dda%0d%0aTimestamp%3a+2019-11-08+20%3a34%3a51Z%0d%0a&state=7b7c70e7-7a77-77d7-7d7e-7dd0e7b707e7

The message is+disabled is coming from the REST API I put together but this obviously tells me that the email\signInEmail claim it expects as a parameter is not being sent\passed.

This is the Technical Profile:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Can you shed some light on how to approach this?


Solution

Generally after I post the question I keep fiddling with the code.

Got it working like this:

<TechnicalProfile Id="REST-ValidateSignInEmail">
    <DisplayName>Validate Email</DisplayName>
    <Protocol Name="Proprietary" 
            Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
       <Item Key="ServiceUrl">{Settings:AzureAppServiceUrl}/api/B2C/ValidateSignInEmail</Item>
       <Item Key="AuthenticationType">None</Item>
       <Item Key="SendClaimsIn">Body</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
        <InputClaim ClaimTypeReferenceId="email" 
              PartnerClaimType="UserEmail" />
        </InputClaims>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Note that I added a new InputClaim with ClaimTypeReferenceId="email". email is the claim value that is passed when using an external IDP.

This sample policy showed me that I could add the OrchestrationStep right before the JwtIssuer one. We can also have it without any preconditions like this:

<OrchestrationStep Order="7" 
   Type="ClaimsExchange">
   <ClaimsExchanges>
     <ClaimsExchange Id="REST-ValidateSignInEmail" 
       TechnicalProfileReferenceId="REST-ValidateSignInEmail" />
   </ClaimsExchanges>
 </OrchestrationStep>

Doing so it'll get called for all IDPs.

Azure Active Directory B2C: Custom CIAM User Journeys



Answered By - Leniel Maccaferri
Answer Checked By - Mildred Charles (PHPFixing Admin)

[FIXED] How to set up multiple SSO IdPs in AD B2C?

      , , , ,      No comments   

Issue

I have an application that uses AD B2C for authentication. I need to allow external IdPs to authenticate via SSO into my application via AD B2C. I followed the steps in this documentation and it worked well for one IdP. https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=macos&pivots=b2c-custom-policy

My use case requires setting up multiple (>30) IdPs and unfortunately this documentation requires creating a new claims provider and technical profile for each IdP set up. Is there a way to set up multiple IdPs without coding them into the custom policy? Along the lines of dynamically pulling the correct IdP from an external data source based on email domain and injecting it into technical profile? Or maybe by setting up a single IdP or bridge and using it as proxy for the 30+ IdPs? I'm curious as to how others have solved this as I'm sure this is not a new use case.


Solution

• If you have multiple Identity providers to be configured in your Azure AD B2C application for authentication, then you can configure all the social account identity providers at once by referring to the below documentation link and configuring one by one all the social identity providers as given in this link: -

https://learn.microsoft.com/en-us/azure/industry/training-services/microsoft-community-training/infrastructure-management/install-your-platform-instance/configure-multiple-authentications-in-a-single-instance

Once, all the social identity providers are configured for authentication in the Azure AD B2C application, then you can configure multiple identity providers for multi-tenant Azure AD application one by one as per stated below in this documentation link: -

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy

As per the present developments, it is currently not possible to configure only a single technical profile and claims provider for multiple IDPs or set up multiple IDPs without coding them into custom policies. Currently, you will have to set up the required by entering every IDP’s technical profile and claims provider information in the custom policy XML file.

For more information, you can surely refer to the community thread stated in your comments section to see if it works or not: -

B2C Custom Policy with TP OpenId Connect - IdTokenAudience - MultiApple scenario



Answered By - Kartik Bhiwapurkar
Answer Checked By - Senaida (PHPFixing Volunteer)

Sunday, September 4, 2022

[FIXED] Where to implement Azure AD B2C with React frontend and ASP.NET Core 6 backend

      , , , ,      No comments   

Issue

I am looking to implement Azure AD B2C into my web application for user authentication.

However, I am unsure of the desired practice when you have a separate frontend from backend.

  • Frontend: React JS web application running on Node.js
  • Backend: ASP.NET Core 6 API application
  • Server: Microsoft SQL Server

I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.

What is the best workflow with this?

  1. Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
  2. Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
  3. other

I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.


Solution

I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.

Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -

https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa

https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio



Answered By - Kartik Bhiwapurkar
Answer Checked By - Terry (PHPFixing Volunteer)

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...