Using AAD B2C, I'd like to enable end-users to login using their Microsoft-Live or Google identity providers (delegate the authentication). However, I have a set of custom claims in AAD B2C for my users (some roles, for example). So, once the user authenticates into google, I need to add or "map, merge" the claim set with this user's custom claims in AAD B2C and return the consolidated claim-set to my application.
My question: where can I add or map these claims in the claimset returned by AAD B2C? In some Identity Providers this is possible using filters. Not yet finding the feature in AAD B2C, pointers?
EDIT: found this:
- https://aadguide.azurewebsites.net/claims/#claim-augmentation-/-enrichment
Related
I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.
Is there any Azure B2C end-user queryable endpoint that will allow that owner to identify which tenants they have authenticated to?
A dashboard for B2C users that is an aggregate of all tenants they have federated with? Is there some extension of the /common endpoint I could make an OAuth query to? (ideally including AAD B2B guest accounts)
https://account.live.com/Activity
https://account.activedirectory.windowsazure.com/r#/applications
myapps.microsoft.com
4/24/20 Edit:
I found this in the portal that implies a portal is available.
I'm looking for the API in which to programmatically add applications to it before a migration.
I need to have the applications already 'signed in' or linked to applications I own in the B2C directory (OIDC/SAML2 apps)
Your question is the equivalent of asking, "Can i find out if i registered at StackOverflow and Facebook with this/my email?". You cannot do this, AAD B2C is isolated tenancies representing a single organisations' identities. There is no equivalent of /common endpoint for AAD B2C. In AAD and AAD B2B accounts, there is a mapping created from the original account to identify which tenants they are in. This is to maintain a single identity across the Microsoft ecosystem.
In AAD B2C, this doesn't exist, goes back to my first sentence for 'why', they are separate applications, and inherently have no relationship, nor do the identities.
I am using Aure AD B2C to connect a .Net core application with Azure AD Enterprise application for authentication using SAML protocol. I am using custom policies to enable SAML.
I have used custom policies starter pack given in Microsoft Docs, and authentication is working properly with given name, surname, name, IDP as claims and I want so additional claims that my application is using.
I need DOB and MemberID as claims for my application and there was no option to add custom claims to the active directory where my enterprise application is.
I have another IDP setup in Okta and luckily I could add custom claims like DOB and MemberID to user profile in Okta but still I am unable to get those claims after authentication.
This is an Azure AD question.
The problem is that DoB etc. is not part of the schema.
If you are using Azure AD Connect and these attributes are in AD, you can use directory extensions to synch them up.
You can synch them up to extensionAttributes that are in the SAML drop-down.
Then add them as outputs in B2C.
If not, you can add extension attributes to Azure AD and use a custom policy REST API that calls Graph API (either directly or via Azure function) to get them.
Also refer this.
When I log into Azure AD B2C I don't get the preferred_username claim included id_token. Is there a way to configure this from the Azure portal? Pretty sure I would get this claim in regular Azure AD OIDC implicit flow.
I've tried looking at custom claims but it seems like this should be a built-in claim that gets included or mapped to some attribute.
This is a known issue with B2C and the MSAL libraries.
From the MSAL .NET wiki: B2C does not return a value in the IdToken for the preferred_username because of limitations with the social accounts and external identity providers (IdPs). Azure AD returns a value for preferred_username because it knows who the user is, but for B2C, because the user can sign in with a local account, Facebook, Google, GitHub, etc...there is not a consistent value for B2C to use for preferred_username. To unblock MSAL from rolling out cache compatibility with ADAL, we decided to use "Missing from the token response" on our end when dealing with the B2C accounts when the IdToken returns nothing for preferred_username. MSAL must return a value for preferred_username to maintain cache compatibility across libraries.
If you want to display a value in the UI, you should be able to use the login hint to pass in a username to pre-fill the sign-in UI. As noted in this MSAL .NET issue.
This is a known issue with Azure AD B2C.
This is because Azure AD B2C does not return a value in the IdToken
for the preferred_username because of limitations with the social
accounts and external identity providers (IdPs).Azure AD returns a
value for preferred_username because it knows who the user is, but for
Azure AD B2C, because the user can sign in with a local account,
Facebook, Google, GitHub, etc. there is not a consistent value for
Azure AD B2C to use for preferred_username.
Here is the Workarounds.
This question already has an answer here:
What's the difference between Azure AD B2C tenant and normal Azure AD tenant?
(1 answer)
Closed 3 years ago.
I am currently the admin for an AAD B2C tenant (I can add B2C applications, flows/policies, etc.) but I can view only some AAD stuff. I understand that AAD B2C is a different service that is somewhat under our organization's AAD umbrella, but I don't have access to the AAD configuration.
I noticed that all the AAD B2C users are also shown as AAD users, and any new B2C app automatically appears in the App Registrations on the leftmost blade in the Azure portal.
All these make me think that AAD B2C uses AAD underneath. This is indirectly confirmed by the existence of a special application registered with the AAD (named "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data."), which serves as a bridge between the two.
Does anybody know any more details about this relationship? I searched a lot but couldn't find much about it.
Azure AD B2C tenants (i.e. directories) are special-purpose Azure AD tenants with some features (and some limitations) specifically designed for B2C scenarios.
So yes, Azure AD B2C uses "regular" Azure AD for the core directory infrastructure, and adds all of the consumer-centric capabilities (sign-in/sign-up flows, Identity Experience Framework policies, full branding customization, etc.).