We’ve implemented a keycloak integration with Azure ADB2C as an identity provider. While mapping the user claims in keycloak from the b2c token, I’m seeing a blank for the ‘sub’ claim. Is there anything to modify in the B2C policy or the Keycloak mapping configuration settings. Please share your suggestions. I really appreciate your time in considering this.
I'm issue Sub on B2C custom policy at RelyingParty as < SubjectNamingInfo ClaimType="sub" / > that will map to the user ObjectID.
RelayParty
TokenIssue
Is that issue that you are facing? The value of the Sub is blank? Maybe you just need add it on the TP for token issue. A difference on Keycloak and B2C (that I found in a customer) is about the name pattern, that B2C use ID and KC use string as name.
Related
I'm trying to use Azure B2C OAuth for Alexa account linking with implicit flow.Below is the redirect url from Alexa
https://alexa.amazon.co.jp/spa/skill/account-linking-status.html?vendorId=XXXXXXXXXX
But adding this gives below error in Azure B2C app.
Failed to update xxx-xxxxxxapp application. Error detail: URL may not contain a query string
I tried below link for solving this but its not working
https://blogs.aaddevsup.xyz/2018/04/query-string-is-not-allowed-in-redirect_uri-for-azure-ad/
I also tried auth code grant flow with SPA in B2C. That is also not working with Alexa as it has PKCE - https://github.com/MicrosoftDocs/azure-docs/issues/64073
Anyone succeeded in creating this?
Adding URL parameters isn't allowed in Azure AD B2C.
The document you linked also provides that you use the state parameter. The problem with this is that your Amazon Alexa requires a vendor Id URL parameter.
You can add your own redirection service such that B2C redirects to your service which then redirects to the final application adding any needed query parameters that can be extracted from the B2C claims.
Azure B2B gives simple steps for direct federation with google and facebook.Though, i don't see any documentation to establish direct federation with Auth0 or Okta. I tried myself with Auth0 at the time or invitation my user succesfully login with auth0 account but after redirection to invitation.microsoft.com getting redemtion failure.
Can someone give me steps to setup Auth0 as IDP and then configure that with Azure AD direct federation.
https://auth0.com/docs/protocols/saml-configuration-options/configure-auth0-as-saml-identity-provider
i have already setup everything as mentioned in above document but still not able to redeem invitation after login.
Any help would be highly appreciated!!!
Azure AD B2B can be configured to federate with identity providers that use the WS-Fed or SAML. There is no specific Document for direct federation either from OKTA or Azure. From Azure end Direct federation is only allowed for policies where the authentication URL’s domain matches the target domain, or where the authentication URL is one of these allowed identity providers as per this document. I recommend you to open a support case with Auth0 since it involves multiple parties.
When I log into Azure AD B2C I don't get the preferred_username claim included id_token. Is there a way to configure this from the Azure portal? Pretty sure I would get this claim in regular Azure AD OIDC implicit flow.
I've tried looking at custom claims but it seems like this should be a built-in claim that gets included or mapped to some attribute.
This is a known issue with B2C and the MSAL libraries.
From the MSAL .NET wiki: B2C does not return a value in the IdToken for the preferred_username because of limitations with the social accounts and external identity providers (IdPs). Azure AD returns a value for preferred_username because it knows who the user is, but for B2C, because the user can sign in with a local account, Facebook, Google, GitHub, etc...there is not a consistent value for B2C to use for preferred_username. To unblock MSAL from rolling out cache compatibility with ADAL, we decided to use "Missing from the token response" on our end when dealing with the B2C accounts when the IdToken returns nothing for preferred_username. MSAL must return a value for preferred_username to maintain cache compatibility across libraries.
If you want to display a value in the UI, you should be able to use the login hint to pass in a username to pre-fill the sign-in UI. As noted in this MSAL .NET issue.
This is a known issue with Azure AD B2C.
This is because Azure AD B2C does not return a value in the IdToken
for the preferred_username because of limitations with the social
accounts and external identity providers (IdPs).Azure AD returns a
value for preferred_username because it knows who the user is, but for
Azure AD B2C, because the user can sign in with a local account,
Facebook, Google, GitHub, etc. there is not a consistent value for
Azure AD B2C to use for preferred_username.
Here is the Workarounds.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
After creating my B2C Tenant in the legacy portal, when I navigate to the new portal I get the following error:
Verify B2C feature failed: {"message":"CorrelationId: 4645f854-4099-45b3-b2e5-b1b3c0e47353; Your tenant 'XXXXX.onmicrosoft.com' is not authorized to use b2c functionality. Please ensure your tenant is whitelisted"}
So how do I get my tenant whitelisted? I created a second tenant and got the same result.
We do not have whitelisting constraint for B2C Tenants and the error message needs correction. Thanks for reporting and we will fix it. You are hitting the case where user trying to access is not a global admin for the tenant yet. Can you check if you are marked as global admin for the tenant and/or we may have a timing bug on our side? And if you are shown as admin please retry clicking on the Manage B2C Link on the tenants you already created.