I have configured the ADFS server, added a user with name as 'test name' and email id as test#domain.com. I have a city field in adfs server with a value added to it as 'city name'.
I have defined the claim issuance policy with following values in it
I have a sign up page where the user gets redirected to the adfs server, user gets log in and user gets registered on AAD.
The adfs server sends required values after login to the signup page where these values gets populated in the input fields.
On AAD user gets registered as Unknown user with no user details.
City field is empty and other values as well in the details page of user.
I have following output claims in it trust framework extension.
Let me know if I am doing the wrong attribute mapping.
How can I add the city value or all the user details on AAD after user signup?
When you say AAD, I assume you mean AAD B2C?
Are you federating B2C with ADFS via SAML or OIDC?
Are the ADFS values populated in the B2C sign-up page?
If so, are you writing these values back to AAD B2C afterwards?
e.g. by using "AAD-UserWriteUsingAlternativeSecurityId". If so, have you added these extra values as output claims?
Note that you can only write these values back.
Related
The disturbing scenario is: users log out of the application but their session remains valid such that they are able to sign back in without reauthenticating. Is the below code snippet the portion of the code that needs to be configured for the B2C session behaviour?
app.UseRewriter(
new RewriteOptions().Add(
context =>
{
if (context.HttpContext.Request.Path == "/MicrosoftIdentity/Account/SignedOut")
{ context.HttpContext.Response.Redirect("/Home/Index"); }
}));
When you want to sign the user out of the application, it isn't enough
to clear the application's cookies or otherwise end the session with
the user. Redirect the user to Azure AD B2C to sign out. If you fail
to do so, the user might be able to reauthenticate to your application
without entering their credentials again
The logout endpoint can receive an optional post_logout_redirect_uri parameter in the query string, where you can specify another URL where your user will be finally redirected by B2C. That can be the address of any resource, e.g. you homepage or your own page showing a "You successfully logged out of our service" message to the user.
post_logout_redirect_uri - The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message.
For more details refer this document And also check with this SO Thread
I'm working on a web app that uses AAD B2C for authentication, I have setup default inbuilt sign up/sign in flows for it, and its all working fine. However I have noticed that instead of returning a claim with a single primary email of the user, it instead returns a collection of emails, in my test case it is a collection which only contains my only email.
I'm curious, is it possible to configure it in such a way that it would include a primary email address claim to JWT when I sign in? From what I have seen when configuring attributes to collect/return for my base user flows, it is possible to collect email when the user signs in, but only "EmailAddresses" collection can be marked to be returned with the token. Is there a way to change this behavior, or is it by design and I am missing a bigger picture?
This is by design!
Take SignIn/SignUp Policy as an example, you can see that the user attribute displays the email address as a string.
But the application claims shows the email address as StringCollection.
The user attributes is the information which AAD B2C collects from user. So B2C collects only a single email, the email address is a string. But jwt claims is the information which B2C returns to the relying party app. since there can be more than one email here(coming from multiple resources, such as federated Idp), this is a collection. Therefore, it is normal for you to return a collection of email address. This is by design, and there is currently no way to change this behavior.
I'am trying to call microsoft graph api, I have did the instructions by microsoft documnets as bellow:
1- app registration in azure portal
Supported account types : all microsoft account users
2- calling 'https://login.microsoftonline.com/',tenant_id,'/oauth2/v2.0/authorize' by these parameters:
client_id <- #Application Id - on the azure app overview page
client_secret <-# the secret key for my app from azure portal
scope <- 'https://graph.microsoft.com/.default'
grant_type <- 'password'
username <- 'XXX#outlook.com'
password <- # the user password
tenant_id <-# tenant id for my app from azure portal
but it has this error:
AADSTS50034: The user account {EmailHidden} does not exist in the <tenant_ID> directory. To sign into this application, the account must be added to the directory.
I have registered my app by the same account that I passed through api.
I want to call my todo list from the graph.
based on #MdFaridUddinKiron's response I added some more explanation:
I think something in my domain in azure is wrong, these are some screenshot of it:
1- it shows "common" for endpoints, what should I use? "common" or my tenant:
2- my app authentication tab has some differences, is it important?
3- My domain overview page is look like this:
4- user is added in my active directory 5- user application page:
6- user assigned role:
I tested microsoft graph api successfully by the same user in the graph explorer, I am getting confused how the authentication flow must be.
I just want to call my own todo tasks
As per your comment, please follow the detail steps:
Make sure email you are trying to get token with is exists in azure ad
user list which showed below in details.
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
client_id:b603c7be_Client_id_e61f925
scope:https://graph.microsoft.com/.default
client_secret:NpmwO/KDJ_client_secret:NpmwO_W0kWf1SbnL
username:tenentUser.onmicrosoft.com
password:YourUserPassword
grant_type:password
See the screen shot:
I am getting token as expected
Step: 1
Step: 2
Step: 3
Step: 4
Filter your user from your azure active directory user list as shown below.
Note:
Requested token user must be a tenant user for example YourUser#Yourtenant.onmicrosoft.com
User password must be correct that you are suing to token request.
Make sure your user belong to azure portal on your tenant
Your Client Id belongs to that tenant
Application secret is valid or not expired.
Update:
What should I use? "common" or my tenant?
It depends if you have many tenant in that case you can use common.
For example user need not to remember specific tenant they would
automatically redirected to specific tenant as per the credentials
they given.
For more information you could refer Official document
Feel free to share still you are having problem.
I have following scenario -
Sign up -
User enters mobile or email,
MFA to mobile or email for verification,
Password is set only if email is used, for mobile signup - no password
Sign in:
User can sign in using email id/password with MFA
or
User can sign in using mobile/code(sent to user mobile)
This requirement is somewhat similar to Azure AD B2C - sign up/in using email OR mobile
Please let me know, how to achieve phone with code instead of password.
We can achieve this with Custom Policies. But Azure AD B2C cannot discern whether the user gave a mobile number or email address.
Create a self asserted page which asks the user for Email or Phone in a single Text field.
Call a validation technical profile (VTP) as part of this self asserted technical profile.
This VTP will be a REST API technical profile which sends the users input to an API.
The API should format the number correctly if its a phone number, eg +4412345678 and send it back with another claim that flags if its an email or phone number.
Based off the flag, use a PreCondition with ClaimEquals, on an Orchestration Step which calls Azure MFA Technical Profile. And pass in the formatted claim phone number as an input claim. The user will then do SMS/Phone call and be logged in.
Create another Orchestration step with a precondition which handles a flag for email. This one will launch a self asserted page with the email as an input claim. The OutputClaim will be Verified.Email, such that the user must do email verification. The user is then logged in.
Have a look at the samples here too:
https://github.com/azure-ad-b2c/samples
is there any way (OIDC auth request parameter) that I could use to prevent AAD from doing account discovery when I send the user to my AAD tenant (not /common)? Currently, AAD displays a page asking for the user email (I presume in case the user is a B2B user in my directory) and only then sends the user to my ADFS (my federation service). I would like to be able to have the user only see ADFS.
#juunas' suggestion to use domain_hint= parameter and #Rohit's to remove login= parameter did the trick. Thanks!