I want to built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint, for example: domain_hint=facebook.com.
Have a look at these samples:
Demonstrates how to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
https://github.com/azure-ad-b2c/samples/blob/master/policies/default-home-realm-discovery
Demonstrates how to create a home realm discovery page. On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name.
https://github.com/azure-ad-b2c/samples/blob/master/policies/home-realm-discovery-modern
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
I have an application where currently all the users are in azure AD tenant of our subscription. So in application to change their password we are dealing with graph api. Now have to change this so that the uses will not be maintain in our tenant but we will be adding federation for google and facebook external identity so that users will be using ther respective account credentials.I know we cant control this from the app.Now my question is how to manage this password change/reset in our app? how to design this?
Thanks,
mbr
Just like #juunas said, you need to redirect them to their login providers' reset page. For example, if the user who is using facebook account clicks 'Forgot Password' button, just redirect the user to https://www.facebook.com/login/identify/?ctx=recover&ars=royal_blue_bar
I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.
We have several Azure AD B2C applications for user login. We are thinking of implementing hardware login to avoid user to login in credentials (username and password). They can just get logged in with NFC cards or faceId
An example of an app, which has been integrated using AppAuth for iOS with Azure AD B2C and uses Touch ID to protect access to the refresh tokens that are issued by Azure AD B2C, can be found at https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/AppSamples-iOS-TouchID-master.
You should be able to extend this to Face ID.
I'm using Azure AD B2C with msal.js in my React app.
Currently, when the user tries to enter the protected area of my app, msal.js redirects the user to the login in page which provides a link to the sign up page.
Is there a way for me to send users directly to the sign up page? There are cases when I know the user has not yet signed up so it's bad user experience to send the user first to the sign in page then let them click and go to the sign up page. It would be nicer to just send them directly to sign up instead.
As well as the sign-up or sign-in policy, you can create a sign-up only policy, which allows a new user to sign up with a local account and/or a social account.