I have an Asp.net Core Application which is configured with AZURE AD B2C Application. Application can Sign In by any user of any tenant. After Successful Login the application with display the current user profile picture, Company name and the tenant Id of Azure Ad. I am using the custom policy. Please help.
How to add Rest API, Function to fetch the User Details and How to call the Rest API/Function in which OrchestrationStep.
Related
We have a .Net 6 website that integrates with Azure AD B2C using OIDC. Login and registration for the website are defined in custom policies in the Azure AD B2C tenant. Azure AD B2C returns a claim that we use for user creation and login for existing users.
The client would like the website to integrate with another platform that supports SAML SSO to Azure AD B2C. Basically, if users are signed in to the website, and by extension signed into Azure AD B2C, and they click a link on the website to take them to the other platform then the user should be signed into the other platform.
My question is if we can mix OIDC and SAML in the custom policies so that logging into the website logs the user into the other platform or does it need to be either OIDC start to finish or SAML start to finish.
I have looked into the Microsoft documentation and it explains how to integrate Azure AD B2C with either OIDC or SAML but I couldn't find anything related to integrating Azure AD B2C with separate platforms that use different protocols.
Any help is greatly appreciated.
I am not sure if understand your use-case correctly - are you trying to onboard external partner as identity provider? And their identity provider uses SAML2 protocol?
If yes, you can look at this official page - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy
Basically you need to use custom policy. In a nutshell, custom policy orchestration flow redirects to identity provider, user authenticates with its own credentials. If successfully, the idp issues SAML token, redirects back to B2C.
And then you can process/transform those claims in SAML token, even create reference/federated user in your b2c (add your own attributes/claims in B2C user management portal) and send claims as JWT token back to your app.
Peter
I have an Azure AD B2C in Tenant A. A SPA web app (FE) and an API Functions App (Node.js) in Tenant B.
FE is using MSAL to require login with Azure AD B2C. I want the set up Authentication in the API to accept bearer access token from FE.
How can I configure Azure to achieve that?
The Tenant that has your Azure Subscription which in turn has your resources doesn't really have to be the one used for App Level Authentication. It is just required RBAC.
The App Registrations for both could just be in the Azure AD B2C Tenant directly and you could provide the required details when setting it up like below
I have an Angular SPA front end which is back up by an ASP.net core 2 web API which sits in a different Azure Web App. This web API is locked down by Azure AD and the AD tenant is same for both Angular and back end API. I want all users in the Azure AD tenant to be able to access the front end and back-end API. However, few users need to have specific permissions to be certain things (Create/update).
I can create an app registration in Azure AD and use the same app registration for both SPA and back-end API. And then use ADAL.js in SPA to get access token and id token and pass this to back-end web API. What I am not sure is, will the user's role be flown in the claims to the web API? I am planning to add users to specific application roles.
Roles will be in the id token if the user has roles on the app they are signing into.
With SPAs registered as Native apps, you basically can't have roles since the user is in full control of the front-end anyway.
Roles will be in the access token if the user has roles on that API.
Two options that you have:
Use the same app registration like you said. Assign the user roles on that app, and they will be in the Id token. Then you use the Id token to call the API, and it can see the roles as well.
Assign the user roles on the API, and inspect their roles by decoding the access token in the front-end.
I've a Azure AD registered web application built with ASP.Net Core and using OpenId Connect and cookies authentication and ADAL.
My web app only supports authentication against Work accounts.
I just noticed on the AAD login page that it says - "Work or school, or personal Microsoft account".
Can I indicate to AAD that the prompt should only say - "Work or school account".
Thanks, Donal
You can use the msafed parameter. Add the following to the query string:
msafed=0
Now users can only sign in with a "work or school account", i.e. an Azure AD account.
In my case there is already an existing tenant of an organization. We are supposed to use that AAD tenant for authentication purpose since it already has the users needed to authenticate. Howeever I do not have the Global admin rights on that AAD tenant. I can create an application on that AAD tenant. I have also created a website that uses that AAD tenant to authenticate. When I run the website in browser, it redirects to a login page. I am able to authenticate myself of that AAD tenant and can see the home page of the website. But, when my colleagues try ot login using the same url for the website, it redirects to a login page, however when they enter username and password it gives the following error:
"AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
Kindly suggest a solution for the issue.
Note: I am using VS 2013 for this project.
#Juan: Finally figured out the solution. You need to request the global administrator of the Azure AD to enable WS Federation for your application on the respective AD tenant.