We have a website that has its own register/login logic. The user table, passwords...
As a business requirement, we need to integrate a 3rd party website, seamlessly to our users. So when a logged-in user clicks on the 3rd party's link he should be logged in straight away and has passed user details.
The 3rd party website supports single sign-on, and ideally, we would like to use Azure AD B2C to implement SSO.
Is it possible to keep Azure AD as an alternative place of login? So we still register a user via our website, use our login, but when a user comes to the other website he logins via Azure AD. Basically, this would imply pinging Azure AD via Rest API whenever we have a new user and passing his details there, but also somehow asking Azure AD to do the login verification with us using a REST API on our side
Is this achievable, or there is a better way of implementing this?
Thanks
There is a way you can follow I have design it as well in the below picture. From this way it can be achievable
Step 1: Store the new user in data base that is signup in website1.
Step 2: Export the user list in CSV format.
Step 3: Upload the CSV file to storage account and the WebJob will be reading it to create users into the B2C directory.
Step 4 : if any new user comes for login in 3rd party website it will redirect to website 1 for register and if existing user comes it will prompt for Azure ad B2C authentication.
Please follow this document to implement the above scenario:
https://blog.kloud.com.au/2018/10/30/bulk-import-users-into-azure-ad-b2c-tenant-with-custom-attributes/
Related
We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.
Our scenario is:
We use Azure AD B2C for authentication to our app (using predefined user flows).
We have different customers that use Azure AD (each one with its own Azure AD tenant). We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.
We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.
Our challenges are:
Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials. We managed to authenticate using OAuthPrompt for Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (i.e. there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.
Ideally, we want the authentication to be handled using only one bot channel registration
Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.
Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C? How's the best way you recommend to handle this scenario?
Your help would be appreciated!
Thanks in advance!
If it helps to someone, after some research, we are doing the following for our scenario:
For the SSO in the tabs, given the limitation of OAuthPrompt to don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token.
For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the domain_hint from MS Teams to Azure AD B2C.
To implement SSO, please go through Add single sign on to a bot and also you can refer the code base in Expert Finder app template and it has implemented the same bot sign-in functionality and it is working fine.
Could you please take a look at multiple Azure AD tenants using Azure AD B2C for configuring multi tenant AD B2C.
I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).
I am working on an ASP.Net MVC application which will handle two types of users
External Users (Need to authenticate using Azure B2C with username as login instead of email as login)
Internal Users (which already exist in Corporate Azure AD)
What is the right way of implementing it?
One option is to run two separate instances of the application configured against each IDP. Keep each type of user stick to one app instance.
I tried to register AD and AD B2C in one app by registering two OpenIdConnect services but having problems when the user tries to access a resource without first logging into the application. Without knowing the type of the user I cannot specify AuthenticationSchema in the Authorize tag.
I am sure people have done this before so if you someone who knows how to do it, then please guide me..
I got Azure AD B2C up and running in my ASP.NET Core web app. But I wonder what's the best way to actually approve new users when they sign up? Is there anything built-in?
Now, anyone can click on Sign-Up link and there you go, you provide your data and click a button. And you're in my tenant Azure AD B2C directory! Now, I'd like to have some control over this.
Did I mention every user costs $1/month when you want to customize Azure AD UI??? (as far as I understand it, correct me if I'm wrong). So if someone goes and sign up 1000 users I'll have to pay for it $1000??
At this time there is not built-in support for user sign up approval workflows.
You can achieve this by:
Having a custom attribute to determine whether a user has been "approved" or not. You would let users sign up by themselves and you would create an experience or flow that queries the Azure AD Graph for users that haven't been "approved" and then either approve them or delete them.
Building an invitation flow. When you invite a user, you'd create the user through the Azure AD Graph. You would then direct your users to the Password Reset policy as their "account verification" flow.
As for your pricing question, if you customize the UI via the newer unified sign-up/sign-in policies, you'll only pay the regular Azure AD B2C pricing model: between $0.0011 and $0.00063 per user depending on how many you have.
Customizing the UI in the older sign-up policy is not really available. As a workaround, you can use Azure AD Premium's company branding feature which is the one that costs $1 per user. If this is the route you are pursuing, I'd recommend voting for this ask: Fully Customizable Sign-In Page.
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.