How do I programmatically upload a built in policy in azure active directory b2c blade?
Does anyone know why the upload policy button is disabled in azure portal?
The Upload Policy button is available for custom policies only.
Related
Current situation: symfony application with authentication via azure AD B2C.
How is it possible to make an authorize check to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize via ajax to verify if a customer has an active session on azure AD, i only need to retrieve the azure oid from the token.
Now i redirect the user to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_sign_in&client_id=CLIENTID&none=defaultNonce&redirect_uri=REDIRECTURI&scope=openid&response_type=id_token&prompt=login&response_mode=form_post&ui_locales=en but i want to get rid of that.
You can use MSAL method ssosilent(), which opens the auth endpoint via hidden iframe. That succeeds only if there is a valid session cookie at AAD B2C. Note this only works if your app and AAD B2C are on the same root domain name.
Hello Everyone,
I have an Azure AD application with MS Graph's authorizations for get users or calendars.
And i have a B2C tenant with an application and a user flow. the B2C authentification working well in my blazor app, but my B2C Application haven't access at MS Graph's authorizations from my AD Application.
I have trying to make custom scope and declare it in my B2C app or use API connector but nothing work.
I give you screenshots of my AD application and my B2C application:
My AD Application :
API Exposed
API Authorization
If you have a solution or an idea to test...
Thank you in advance..
(Moving from Comments to Answer)
The two screenshots you provided are from AD, and AD tenants and B2C tenants are different. You cannot use applications in the b2c tenant to access resources in the AD tenant.
In addition, for Azure AD b2c applications, it cannot use MS Graph, but can only use AAD Graph, see: here and here.
I am using Aure AD B2C to connect a .Net core application with Azure AD Enterprise application for authentication using SAML protocol. I am using custom policies to enable SAML.
I have used custom policies starter pack given in Microsoft Docs, and authentication is working properly with given name, surname, name, IDP as claims and I want so additional claims that my application is using.
I need DOB and MemberID as claims for my application and there was no option to add custom claims to the active directory where my enterprise application is.
I have another IDP setup in Okta and luckily I could add custom claims like DOB and MemberID to user profile in Okta but still I am unable to get those claims after authentication.
This is an Azure AD question.
The problem is that DoB etc. is not part of the schema.
If you are using Azure AD Connect and these attributes are in AD, you can use directory extensions to synch them up.
You can synch them up to extensionAttributes that are in the SAML drop-down.
Then add them as outputs in B2C.
If not, you can add extension attributes to Azure AD and use a custom policy REST API that calls Graph API (either directly or via Azure function) to get them.
Also refer this.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
I'm working on an .NET web application that uses Azure AD as an identity provider. Azure MFA is also used.
However, the user does not want to use the default Microsoft login page. Instead, they want to use a custom login page (hosted by us). It is possible?
Is there exist any API in Azure AD that authenticate user's credential? I tried this: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-native-headless/. But I cannot make it work on a web application.
For this scenario, I recommend Add company branding to your sign-in page in Azure AD. It allows you to customize the appearance of the sign-in page with your company logo and custom color schemes.
But Company branding is available only if you upgraded to the Premium or Basic edition of Azure AD, or have an Office 365 license.
Additional: Building login page and save usernames/password to authenticate with Azure AD in your Application is not recommended.
Hope this helps!
As stated above, the documentation recommends using Company Branding feature for customizing the pages provided by Azure AD.
If even then, if you want to show your custom HTML on Azure AD's login page, it is possible to add custom HTML for the login page.
The requirement is your page should have <div id="api"></div>.
Another requirement is this page should be hosted on CORS enabled, HTTPS public site.
Please refer this blogpost where I have shown how the custom HTML can be used.