I'm using Azure AD B2C with msal.js in my React app.
Currently, when the user tries to enter the protected area of my app, msal.js redirects the user to the login in page which provides a link to the sign up page.
Is there a way for me to send users directly to the sign up page? There are cases when I know the user has not yet signed up so it's bad user experience to send the user first to the sign in page then let them click and go to the sign up page. It would be nicer to just send them directly to sign up instead.
As well as the sign-up or sign-in policy, you can create a sign-up only policy, which allows a new user to sign up with a local account and/or a social account.
Related
I am working on web based application where I want to redirect the user to our application signup page when non-Azure AD user(Guest user) is trying to sign in through Azure AD SSO sign in page. Is there way to customize the Azure AD SSO sign in page and redirect the user except company branding. Or is it possible to build form based authentication page and integrate with Azure AD without using B2C?
We already have set the post_log_in_redirect_uri and post_log_out_redirect_uri and working as expected on login/logout.
I develop an authentication by extrenal idps in the my application. For while I support two idps using OpenId Connect protocol: Azure AD and Okta. My login page has widget for entering user's credentials (for built-in users and for domain users imported from Active Directory) and two buttons: "Login with Microsoft" and "Login with Okta".
First time user is redirected to login page and he attempts to sign in by Okta (or Azure AD). If he has already signed in Okta (or Azure AD) before attempt he will be signed in my app autmatically without entring his credentials (SSO in action). But if he signed out from my app, the next time he will try to sign in by Okta he will be redirected to Okta consent page and required to enter his credentials.
Why do second and next attempts require user's credentials but not lead to automatic sign in?
Is this SSO concept?
I develop on Asp.net MVC and use OWIN (Katana).
Thanks!
A likely reason the user is signed out of the identity provider is that your code is intentionally doing that when you call SignOut.
For example, if you are calling:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Okta, AuthTypes.Cookies);
You are explicitly saying that you want to trigger sign-out for AuthTypes.Cookies (which probably clears your app's own session cookies) and AuthTypes.Okta (which probably includes redirecting to Okta to end the session and clear cookies over there as well).
If you only want to end the session with your app (but not necessarily end the user's session with the identity provider), when you call SignOut, you should only indicate your app's authentication types:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Cookies);
After this, when the user accesses the app again, the app will not consider the user signed in (because when the user's browser accesses the app, it will not be presenting any session cookies). However, if the user were to be sent off to Okta or Azure AD again, the identity provider's own session cookies for that user will still be there, and they will be able to SSO with no extra prompts.
Note: I'm making a few assumptions about how AuthTypes.Okta and AuthTypes.Cookies are configured, since that wasn't included in the question.
I want to built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint, for example: domain_hint=facebook.com.
Have a look at these samples:
Demonstrates how to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
https://github.com/azure-ad-b2c/samples/blob/master/policies/default-home-realm-discovery
Demonstrates how to create a home realm discovery page. On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name.
https://github.com/azure-ad-b2c/samples/blob/master/policies/home-realm-discovery-modern
What we'd like to do is to automatically Sign In\Login the user after they successfully Sign Up.
Let's say the user got an invitation for the application. They go to the Sign Up page, fills out the form and clicks the Create button. If all is OK, the user is added to Azure B2C directory and then we'd somehow have the Sign In policy run automatically OR some other way of logging in automatically.
So I just want to know if this is viable or not when using Azure B2C.
EDIT
After further debugging I see what is the problem...
We have an old AngularJS (1.6) SPA application.
An #id_token is sent back from Azure B2C after the user completes the Sign Up process... however after the URL in the browser has the #id_token, control is not passed to the application, that is, OWIN middleware is not being called. For the Sign In it works as expected since it starts from within the SPA itself. The user clicks the Login button and is redirected by msalService.loginRedirect.
The Sign Up policy execution is different because it starts by an e-mail invitation link only. So it's not from within the SPA itself.
The hash portion of #id_token is being messed up by AngularJS once Azure B2C redirects back to the app.
I already played with AngularJS $locationProvider.html5(true) mode but it did not work.
What I'm trying to do now is to redirect to a custom signup.html reply URL and then return to the AngularJS app but I'm not sure how to wire up this.
By default, at the end of a flow (i.e. all built-in flows except the password reset flow and all custom flows except the password reset flow), an SSO session is generated for the user so, in effect, they are signed in after sign-up.
Therefore, the default experience in the same session is that, if a user signs up for App A and then is redirected to sign in for App B, then they won't be prompted to re-authenticate.
You can configure the sign-up and sign-in flows so that they issue the same claims so applications can handle the sign-up and sign-in callbacks with the same behavior.
I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.