I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.
Related
I am working on web based application where I want to redirect the user to our application signup page when non-Azure AD user(Guest user) is trying to sign in through Azure AD SSO sign in page. Is there way to customize the Azure AD SSO sign in page and redirect the user except company branding. Or is it possible to build form based authentication page and integrate with Azure AD without using B2C?
We already have set the post_log_in_redirect_uri and post_log_out_redirect_uri and working as expected on login/logout.
I'm trying to integrate Azure AD B2C with my App Service using the Authentication / Authorization menu in the portal (also called EasyAuth).
This is what I did:
Registered the application in Azure B2C
Recorded the App ID
Defined user flows (just Sign In)
Set up identity provider (Azure AD)
Tested the user flow, with Redirect URI pointing to jwt.ms, to see the result - works fine
Enabled Authentication / Authorization in the App Service in the Portal
Configured Azure AD authentication with the App ID from above and the link to the endpoint metadata
But now, when I access the App Service, I'm redirected to a "Logging in..." page which immediately goes to the jwt.ms page, with no JWT data, no login page, and no opportunity to enter my credentials.
Just an empty jwt page.
I couldn't find anything in the docs that can explain this.
What am I missing?
I have a consumer facing application (call it consumer.com) whose user identities is managed via. Azure AD B2C. This consumer.com app has admin screens which is accessed by the internal staff whose identity is managed by Azure AD. To enable SSO experience for the internal staff the organizations Azure AD is registered as Custom Identity provider in B2C tenant. This allows the internal staff to use the corporate Azure AD credentials to login to the consumer.com application by clicking on the appropriate 'External identities' button. In this flow if the internal user has already authenticated to Office365 then clicking on the 'External identities' button will automatically authenticate user. I was wondering if the experience can be improved by cutting short the need for internal user to click on the button, perhaps the user session that exist in the browser can be used to bring in this experience. How to achieve this?
I am also looking for a solution where user will click on a link (Consumer app button) within one of Office365 apps which would then redirect to consumer.com application, of course the expectation here is to directly authenticate without needing to go through B2c login page. If this can be achieved, what information should the url link contain?
Use the domain hint parameter:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin#redirect-sign-in-to-a-social-provider
I want to built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint, for example: domain_hint=facebook.com.
Have a look at these samples:
Demonstrates how to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
https://github.com/azure-ad-b2c/samples/blob/master/policies/default-home-realm-discovery
Demonstrates how to create a home realm discovery page. On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name.
https://github.com/azure-ad-b2c/samples/blob/master/policies/home-realm-discovery-modern
We have several Azure AD B2C applications for user login. We are thinking of implementing hardware login to avoid user to login in credentials (username and password). They can just get logged in with NFC cards or faceId
An example of an app, which has been integrated using AppAuth for iOS with Azure AD B2C and uses Touch ID to protect access to the refresh tokens that are issued by Azure AD B2C, can be found at https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/AppSamples-iOS-TouchID-master.
You should be able to extend this to Face ID.