https://learn.microsoft.com/en-ca/azure/active-directory/develop/tutorial-v2-android#integrate-with-microsoft-authentication-library
The above document mostly works as captured. However, there are 2 areas that I need help on:
The MSAL Configuration that is generated in the Android configuration page on the AD portal is not similar. The "type" tag that is autogenerated is "B2C" but the documentation refers to "AAD"
The authority URL specified in the document is "https://login.microsoftonline.com/common" which is deprecated.
I have attempted to substitute the AAD reference to B2C and authority URL to b2clogin.com but it doesn't work. Is there a different documentation that supports the new type and authority elements?
As #juunas said in the comments, https://login.microsoftonline.com/common is the authorization method for multi-tenant AAD, and it has not been deprecated. The B2C authorization method is different from AAD, the complete B2C authorization URL as follows: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}.
Related
I'm trying to use Azure B2C OAuth for Alexa account linking with implicit flow.Below is the redirect url from Alexa
https://alexa.amazon.co.jp/spa/skill/account-linking-status.html?vendorId=XXXXXXXXXX
But adding this gives below error in Azure B2C app.
Failed to update xxx-xxxxxxapp application. Error detail: URL may not contain a query string
I tried below link for solving this but its not working
https://blogs.aaddevsup.xyz/2018/04/query-string-is-not-allowed-in-redirect_uri-for-azure-ad/
I also tried auth code grant flow with SPA in B2C. That is also not working with Alexa as it has PKCE - https://github.com/MicrosoftDocs/azure-docs/issues/64073
Anyone succeeded in creating this?
Adding URL parameters isn't allowed in Azure AD B2C.
The document you linked also provides that you use the state parameter. The problem with this is that your Amazon Alexa requires a vendor Id URL parameter.
You can add your own redirection service such that B2C redirects to your service which then redirects to the final application adding any needed query parameters that can be extracted from the B2C claims.
I have an Activiti app which needs to be integrated with the Azure Active directory for user sign in and authentication. The application is registered on the Azure AD and I have the following information:
tenant ID
CID
key
I am trying to follow the steps in the official documentation here, using the implicit flow.
All the examples I could find for it make use of the msal.js library to authenticate users with Microsoft Azure Active Directory accounts. But i need to achieve this without using any libraries. How do I proceed with this?
How and where in the activiti-UI do i need to put in the code to hit the following URL given in the steps
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=id_token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=openid&response_mode=fragment&state=12345&nonce=678910
Any examples on this would be of great help!!
Thanks in advance!
For the doc you choose, it does not use a library.
To refer to this doc, your app is required to be registered in the v2 endpoint, like Application Registration Portal or app registration(preview) in Azure Portal. And you also need to enable Allow Implicit Flow for the Web client.
Send the sign-in request in your browser:
https://login.microsoftonline.com/{tenant-name}/oauth2/v2.0/authorize?
client_id=your application id
&response_type=id_token
&redirect_uri=your application redirect urls
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910
The response like this:
By this, you could get the id_token for the sign-in user. If you want to get the access_token, you need to replace openid in the scope with the resource url with the format(like microsoft graph: https://graph.microsoft.com/User.Read), and replace the id_token with access_token in the response_type.
The access_token response like this:
If you want to parse the token, you could use jwt.io.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
I'm trying to use Azure AD B2C as a SAML Identity Provider.
I am aware that several locations on the web state that B2C does not (yet) support SAML as identity provider (also e.g. answer on this question: Can I integrate a SAML application with Azure AD B2C?).
However, when I read the comparison between built-in policies and custom policies on the "Azure AD B2C Custom Policies" docs, I see that SAML is already supported today as an identity provider.
Also, I found this GitHub walk through: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
Following that walk through, I have an issue in step 5 "Upload Certs" of the first section "Create the SAML Token Issuer" while executing New-CpimCertificate.
I can successfully import the module ExploreAdmin.dll. However providing my credentials while calling New-CpimCertificate, I get this error on the console:
New-CpimCertificate : Unauthorized.
Access to this Api requires feature: 'Advanced' for the tenant: '<myazureb2ctenant>.onmicrosoft.com'.
Any help, thoughts, comments... are very welcome!
Azure AD B2C still does not officially support (even in preview) connecting with apps via SAML (aka being a SAML identity provider).
It only supports connecting to other identity providers via SAML (aka being a SAML relaying party).
The GitHub walk through you came across is an old walk through before the official launch of the Azure AD B2C Custom Policies preview. It talks about features that weren't included in the scope of the preview, such as B2C as a SAML IdP. It also references tools (those PowerShell scripts) and steps that are no longer applicable.
The mention of SAML in the Identity Providers section of the "Azure AD B2C Custom Policies" doc refers to supporting B2C being a relaying party that connects to a SAML Identity providers, not the other way around (where B2C is the SAML identity provider itself).
All that being said, you CAN make your scenario work, with the clear understanding that it's not supported.
You can use that GitHub document you've referenced, swapping out the steps that involve ExploreAdmin and New-CpimCertificate for these instructions that allow you to upload the certificate via the portal:
Go to your Azure AD B2C tenant. Click Settings > Identity Experience Framework > Policy Keys.
Click +Add, and then:
Click Options > Upload.
Enter a Name (for example, YourAppNameSamlCert). The prefix B2C_1A_ is automatically added to the name of your key.
To select your certificate, select upload file control.
Enter the certificate's password.
Click Create.
Verify that you've created a key (for example, B2C_1A_YourAppNameSamlCert).
I have my own identity authority set up using the Identity Server.
I'm running a native windows application and currently I'm using IdentityModel's OidcClient library to connect on the authority and obtain the token.
I want to add support for Azure AD and since I haven't been able to set-up the application on the Azure AD to use HybridWithProofKey flow, and found this MSAL I've decided to give it a shot.
In MSAL there is a PublicClientApplication class with accepts the string authority in its constructor (source)
When passing my URL in this constructor I imagined it would use the discovery service and found the correct endpoints and to its job. But to my suprise this dont work.
I get following error message:
AADSTS50049: Unknown or invalid instance.
Search on github MSAL for AADSTS50049 returned zero results. I've cloned the project and started with debugging.
I've figured out that the request is sent to my authority url but instead there is a GET request on the
GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https%3A%2F%2Fmyidentityserverhostname%2Fidentityserver%2Foauth2%2Fv2.0%2Fauthorize HTTP/1.1
This request is done in this source and it returns the error above.
So, is MSAL intended to use with non azure authorities?
No. It's a proprietary client library for their proprietary backend.
Yes it can,
You need to use the Azure B2C library, it can be configured with other identity provideer, like facebook, google, linked in etc.
There is also an option to utilise a custom IDP, if it conforms to openId
See here.
https://go.microsoft.com/fwlink/?linkid=854174
Using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and other OIDC providers.
Also vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples).
As per this official example, MSAL is not required if you're only signing users in. They claim:
MSAL is used for fetching access for accessing protected APIs
BTW, if you're interested in MSAL.JS, then it's a completely different story – https://stackoverflow.com/a/73618966/968003.