I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
Related
I have setup a site but when i am opening this site i am getting this
type error, Authorization Required
You must first log in or register before accessing this page. If you
have forgotten your password, click Forgot Password to reset it.
click and check image
You need to make sure that the visualforce page which you created has access to Guest user profile. To navigate to Guest user, do as below:
Go to Setup -> Develop -> Sites -> Click Site name -> Public Access Settings
The sites under Digital Experiences / All sites are called Experience Cloud sites.
The sites under Sites and Domains > Sites are called Salesforce sites.
These are different categories of sites and they come with different behaviors.
Based on the screenshot you shared with me, (the url has force.com included), it looks like your site is in the second category, please be aware of that:
Users from the Salesforce sites can only see their own data. If your program is trying to access data recreated by other, you will get the Authorization Required error.
As a way to test this, try to comment out the SOQL statements, the error message may go away.
also check out the following link:
https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_user.htm&type=5&release=228
The Secure guest user record access setting was enabled in Summer ’20, but could still be disabled during that release. To safeguard your Salesforce org’s data, in Winter ’21, this setting is enabled in all orgs with communities or sites and can't be disabled. The Secure guest user record access setting enforces private org-wide defaults for guest users and requires that you use guest user sharing rules to open up record access. You also can't add guest users to groups or queues or grant guest users record access through manual sharing or Apex managed sharing.
I am trying to access the multiple communities in multiple salesforce sites with same connected-app but could not.
For example: I have created the two salesforce sites A and B. And created connected-app in A. To access rest API of A, i could authenticate with connected-app in A, But how to connect with B with using the same client_secret and client_id by differs in user_name and password?
Or is there any way to connect with REST API with username and password as creds?
Example: There is community_A1, community_A2 in Site A and community_B1 , community_B2 in Site B.
I need to access communities in both the Sites
This should work out of the box, what errors you're getting?
You can have 1 set of consumer key and secret and (if admin in target org didn't block it) you could use this to login to any SF in the world, sandbox or production, core SF or community.
Imagine being a developer of mobile app that pulls data from salesforce. You'd want to have just 1 pair of keys, not install separate key for every org people might install your app...
All org-specific stuff you need is username, password and login url. For community the login url will look like https://sandboxName-MyDomain.cs123.force.com/communityName
Once you have that, you can inspect all the OAuth2 stuff at https://sandboxName-MyDomain.cs123.force.com/communityName/.well-known/openid-configuration
Have you played with https://openidconnect.herokuapp.com/ ?
Paste your community url, for now keep the client and secret as is, click next. Login to community and keep clicking next. It should work fine and at the end - give you access_token / session id.
Now close this browser completely / open new incognito window and do it again. This time give your login url but also client and secret. Next, Next... Check the user's login history, it should mention your connected app now.
Now close this and do it last time, with the other community's login url and another user's credentials but still with your client and secret.
is there any way to connect with REST API with username and password
as creds?
Not for community. Internal users can get access in one go with https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_username_password_flow.htm&type=5 but community/experience users need this interactive login, there has to be a human consent / password typing step. And anyway it's not very secure flow. "Experience Cloud sites don’t support the OAuth 2.0 username-password flow."
In a pinch you could try the SOAP API's login method but from what I remember you may need to pass the community's Id in the message then
Connected-app is global metadata in salesforce. Once we create a connected-app in one org, then can access any salesforce site with the same client_id,client_secret, unless the admin has blocked the access.
I needed to add the custom profile into the community members to allow the access to the community via API (Community workspace -> administration -> members -> profiles.)
I have an Azure B2C tenant with some identity providers (Facebook, LinkedIn, etc) and a custom claim where the user is able to choose a gender.
During the sing up with one of those, I'm able to get the gender's claim in the token, but this doesn't happen when the user signs in. I was wondering where is the right place to map/include this custom claim since I've been using the base custom policies: SocialAndLocalAccount
Any clue about where to get it? I have my custom claim inside the SelfAsserted-Social's Technical Profile but no luck during the sign in.
The SelfAsserted-Social technical profile will only be executed on the first time the user connects with his social account.
As you can see from the comments in the user journey
Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).
You need to persist that claim if you want to reuse it as per comment here
If a claim is to be persisted in the directory after having been collected from the user, it needs to be added as a PersistedClaim in the ValidationTechnicalProfile referenced below
You then need to read it from AD in your AAD-UserRead... technical profiles
And output it in your Relaying Party's output claims.
Follow this guide https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-configure-user-input#add-a-claim-to-the-user-interface for the Social profiles where city in the examples is your gender claim.
I have Azure AD B2C tenant set up with a signin/signup policy which includes sign up attributes of Email Address and Postal Code.
When anyone access any URL in the API secured by that tenant, then they get the nice Default Signin/Signup screen, and if they are signing up, then there is an text box where they can enter their postcode.
My question is, is there an equivalent Default Profile Edit page where user can see/edit their Profile (which would consist of email + postal code only [although I believe that based on Can we change email address of user from "Profile editing policies" in Azure AD B2C? actually email wouldn't be editable, so lets say just Postal Code].
If there is a way for a users to "log in" and see/edit their profile via a default profile edit screen and if so, what is the URL for that? https://login.microsoftonline.com/static//somthing?
Or can the user's profile editing only be done via either a Page UI Customization or via a separate web page plus Graph API calls only?
OK I think I've answered my own question here. I now see that on the Profile Editing Policy blade, there is a Run Now endpoint
https://login.microsoftonline.com/yourtenantname.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_EditProfilePolicyOrWhateverYourEditPolicyIsCalled&client_id=your-application-id-guid&nonce=defaultNonce
When I run that end point I get a very basic editing screen showing the Profile attributes.
This is the kind of thing I was driving at in my question.
Also, not sure how I didn't previously see https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-quickstarts-web-app
It has lots of information and in the "test drive an Azure AD B2C Web app" section shows what I need to know pretty much exactly.
Finally, this document https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request
has a lot of information including how to log out:
GET https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F
As per the sign-up or sign-in policy, you can create a profile editing policy, which enables an end user to view and edit the profile attributes for their local account.
The end user can't edit their e-mail address via this profile editing policy.
You can otherwise implement the profile editing UI and integrate through the Graph API to get and set the profile attributes for the local account.
I am using Easysocial Extension on my Joomla 3.0 site. i was able to successfully install and integrate it. But when ever a user get register i have to approve them to use the site. And don't want to approve every user, i want it in a auto mode. I have tried to Change the option for "New User Account Activation" to "None" under User Manager but No go. I have searcher for other options in Easysocial but not found any.
Can any one help in resolving this issue.
Do the following:
Login to the admin panel of the Joomla Back-end
Go to: Component > Easysocial > Settings > Profile types
Select your members group
Go to the Registration tab
Select Registration Type and Oauth Registration type (various options are there)
This may work, set these preferences in Joomla users > options
Allow user registration - Yes
New user registration Group - Registered
New User Account activation - Self
User will now need to click an activation link which will then authenticate them.