I am trying to call a Rest API in a B2C Technical Profile. That is described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
The Rest API is protected by Azure AD, and I need to first obtain a bearer token from Azure AD and use the Bearer Authentication Type in the Technical Profile to access the Rest API.
I want to use a certificate and not a secret to obtain a bearer token from Azure AD. To do so, I have to create a JWT Assertion signed by the certificate. That process is described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
I understand that much. What I am not sure about is if B2C has any functionality for which I can build and sign a JWT Assertion to use in a request to Azure AD? I've looked through the claims transformations that are available and am not finding anything. Am I forced to use Client ID and Secret instead?
Please note that, to generate JWT token with certificate you must create a self-signed certificate like below:
New-SelfSignedCertificate
-KeyExportPolicy Exportable
-Subject "CN=yourappname.yourtenant.onmicrosoft.com"
-KeyAlgorithm RSA
-KeyLength 2048
-KeyUsage DigitalSignature
-NotAfter (Get-Date).AddMonths(12)
-CertStoreLocation "Cert:\CurrentUser\My"
On Windows computer, select Manage user certificates and download the certificate:
Please note that, client_id is required to authentication Azure Ad b2c.
To upload the certificate, go to Azure Ad b2c and select API connectors and upload certificate and create a Password for it like below:
Make sure to configure REST API profile to use HTTP basic authentication by following this MsDoc.
To generate the token without client_secret, please try the below parameters:
And try generating the token and if you want to do it programmatically, then update your appsettings file like below:
“B2CTenant”: “Tenant_ID”,
“B2CPolicy”: “Policy_name”,
“B2CClientId”: “client_id”,
“B2CRedirectUri”: “redirecturi",
“B2CSignUpUrl”: “Signup_url",
“SigningCertAlgorithm”: “RS256”,
“SigningCertThumbprint”: “Thumbprint”,
“LinkExpiresAfterMinutes”: 10
Reference:
Secure APIs used as API connectors in Azure AD B2C - Azure AD B2C
Related
How do I Authenticate to AAD using Invoke-RestMethod with ClientCredential flow using certificate and get the token?
I tried to search for it but no success.
I can authenticate with client Secret but I want to use cert for security purposes.
To get Access Token using client credential flow with using certificate.You need to generate a self singed certificate and need to upload in AzureAD application->ertificate&Secret.
You can refer this Post, Here they have explained
in steps how you can generate the access token using the certificate.
I am trying to have an IdP initiated sign on with a B2C Local account to Salesforce. Under my current configuration when I navigate to my IDP to login, I receive the following error: "AADB2C90250: SAML IDP initiated SSO is not enabled for this policy."
I have ensured that <Item Key="IdpInitiatedProfileEnabled">true</Item> under the technicalprofile in my custom policy. I'm not sure what other configuration to check and am looking for suggestions.
I'm using Azure AD B2C as IDP and Salesforce as IDP. Originally it was created for SP.
For PartyEntity I'm using the same endpoint for SalesForce. Do I need a different end point or can I use the same one? Here's an example of my configuration.
I have a new setup for IDP initiated and have referenced that policy below.
<Item Key="PartnerEntity">https://<MY_SALES_FORCE_ACCOUNT>.my.salesforce.com/.well-known/samlidp/<API_POLICY>.xml</Item>
<Item Key="IssuerUri">https://<MY_DOMAIN>.b2clogin.com/<MY_DOMAIN>.onmicrosoft.com/<POLICY_NAME></Item>
Any other clues on this error would be helpful. Thanks.
• Please check whether a SAML response signature is created properly or not and the certificate created to sign the SAML messages is proper or not with samlp:Response message element in the SAML message or not.
• If you don't already have a policy key, create one. Then configure the SamlMessageSigning metadata item in the SAML Token Issuer technical profile. StorageReferenceId must reference the policy key name.
• Make sure the technical profile and application use the same signature algorithm and the algorithm supports your certificate.
• Make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.
• Make sure you specify the certificate to be used to sign the SAML assertions sections of the SAML response. Also, check the SamlAssertionSigning metadata item in the SAML Token Issuer technical profile where StorageReferenceId must reference the policy key name.
• Make sure encryption is enabled in the Azure AD B2C policy and the public key must exist in the SAML application's metadata endpoint with the KeyDescriptor use value set to Encryption.
• Also, make a note that scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce is not supported and IdP initiated flow is supported only for local account authentication in Azure AD B2C.
Please check the below links for more information and the sample code for IdP initiated SAML single sign on: -
https://github.com/azure-ad-b2c/saml-sp/tree/master/policy/SAML-SP-Initiated
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
I am trying to create a POF with Azure Active Directory because I am planning to use it later in a production application.
In Microsoft docs, the only way I found to login is being redirected to the microsoft page to provide username and password.
Is there some API I can use to get the access token providing username and password? and I can test it, for instance, using postman.
You could use Resource Owner Password Credentials(ROPC) flow to get access token. See the Important first to make sure you could use it in your application.
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use
a tenant-specific endpoint
(https://login.microsoftonline.com/{TenantId_or_Name}) or the
organizations endpoint.
Personal accounts that are invited to an Azure AD tenant can't use ROPC.
Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app
instead.
If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts).
If users are full-page redirected to an on-premises identity
providers, Azure AD is not able to test the username and password
against that identity provider. Pass-through authentication is
supported with ROPC, however.
Try executing this request to obtain access token.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=<your-app-id>
&scope=<scopes-in-api-permissions>
&username=<username>
&password=<password>
&grant_type=password
As you are looking to get an access token by sending the username and password
you can go with a postman or a curl operation
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.com
&password=SuperS3cret
&grant_type=password
curl -X POST -d "client_id=clientid&scope=user.read&grant_type=password&username=username&password=Password" https://login.microsoftonline.com/tenantid/oauth2/v2.0/token
Note :Microsoft recommends you do not use the ROPC flow. In most
scenarios, more secure alternatives are available and recommended.
This flow requires a very high degree of trust in the application, and
carries risks which are not present in other flows. You should only
use this flow when other more secure flows can't be used.
As part of POC, I want my existing web api, programmatically - to verify the signature of JWT access tokens to validate the authenticity of the token issued by demo AAD so that it can be trusted by my webapi app., to do the verification I need to have .cer/public certificate of my demo AAD.
How to get .cer file of AAD to do signature verification?
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109