Azure B2C as external identity provider for Thinktecture Identity Server - thinktecture-ident-server

I have a setup consisting of my relying party app -> thinktecture identity server -> azure ad b2c. This is working as expected for login and signup using a signin or signup policy. The issue I am running into is that the password reset link on azure b2c page is sending back to my thinktecture identity server, instead of to azure b2c where it should go? Has any one encountered this and found a solution? I am also unable to submit a profile edit policy request to azure b2c through thinktecture identity server. My thinktecture identity server instance, just sees that the user is logged in and returns them directly back to my relying party.
So my questions are this...
How do I get the password reset functionality working correctly fron azure b2c?
How can I handle profile edit requests from my relying party and pass it in appropriately in thinktecture identity server?
It was suggested that I use ACR_values, but I don't see how that is going to help any. Any suggestions/ideas would be helpful as I seem to have run up against a brick wall here.

Related

Azure AD B2C integration with SAML and OIDC

We have a .Net 6 website that integrates with Azure AD B2C using OIDC. Login and registration for the website are defined in custom policies in the Azure AD B2C tenant. Azure AD B2C returns a claim that we use for user creation and login for existing users.
The client would like the website to integrate with another platform that supports SAML SSO to Azure AD B2C. Basically, if users are signed in to the website, and by extension signed into Azure AD B2C, and they click a link on the website to take them to the other platform then the user should be signed into the other platform.
My question is if we can mix OIDC and SAML in the custom policies so that logging into the website logs the user into the other platform or does it need to be either OIDC start to finish or SAML start to finish.
I have looked into the Microsoft documentation and it explains how to integrate Azure AD B2C with either OIDC or SAML but I couldn't find anything related to integrating Azure AD B2C with separate platforms that use different protocols.
Any help is greatly appreciated.
I am not sure if understand your use-case correctly - are you trying to onboard external partner as identity provider? And their identity provider uses SAML2 protocol?
If yes, you can look at this official page - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy
Basically you need to use custom policy. In a nutshell, custom policy orchestration flow redirects to identity provider, user authenticates with its own credentials. If successfully, the idp issues SAML token, redirects back to B2C.
And then you can process/transform those claims in SAML token, even create reference/federated user in your b2c (add your own attributes/claims in B2C user management portal) and send claims as JWT token back to your app.
Peter

Azure Function App Authentication Sign In

I am currently working on a function app and would like to understand more on the built in authentication using Microsoft as the identity provider. I have created an app registration as per this guide but upon testing the authentication in a browser, I have been redirected to login.microsoftonline.com/common instead of login.microsoftonline.com/. Is that the expected behavior?
For your function app, in the Authentication blade, check what is being displayed for Issuer Url for the Microsoft Authentication provider. If you have configured to authenticate users from your organization's Azure AD, then that will be the tenant ID, and the url should be login.microsoftonline.com/<guid of tenant>. It depends on what you chose for your target audience, refer here.

Thinktecture IdentityServer3 and Azure Active Directory B2C

Has anyone used Azure Active Directory B2C as an external identity provider with Thinktecture Identity Server 3? If you did, how did you set it up? I can setup relying parties and other external providers such as Google and Facebook with no problem, just not sure where to start with Azure AD B2C.
I believe currently Azure b2c cannot be a relying party to someone else. it can only consume others as relying parties to it

Thinktecture Identity Server HRD

I would like to use Thinktecture identity server V2 "WS-Federation HRD" to let users can login with Facebook account or the identity server I created by Thinktecture identity server.
the following is my use case. I also refer the https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/484 to try to config my Thinkecture identity server,
it can show the HRD login page and I can login successful but it always redirect to the Thinktecture identity server Home page not to the client application after I login successful.
Can anyone tell me the how can I configurate it on Thinktecture Identity Server and the ASP.NET MVC Client Application configuration?
use case:
1.(APP Client)abc.cloudapp.net/oauthclient2/
2.=> Thinktecture identity server "hrd" page (https://def.cloudapp.net/identityserver/ )
3.=> login with facebook or IDP(identity server) if successful then
4.=> redirect to (APP Client)abc.cloudapp.net/oauthclient2/
The guide that you mentioned is OK. The problem you might have is at the last screen.
Try to set Redirect URL back to your application (abc.cloudapp.net/oauthclient2/) in the relaying party for your application (abc.cloudapp.net/oauthclient2/).

Web Services and Azure ACS - Security Token from an Identity Provider (e.g. Facebook)

I'm new to Azure ACS and working with a web site that implements Azure ACS. I need to write a web service that needs to be secured with authentication via an Identity Provider first (e.g. Facebook).
I'm having a hard time finding a simple sample that can help me accomplish basically the 2nd scenario laid out in this article: http://msdn.microsoft.com/en-us/library/gg429784.aspx ("By presenting a security token from another trusted issuer (Identity Provider) that has authenticated that client").
For what it's worth, I was able to find a great example that lets the client authenticate directly with ACS using ACS Service Identity (i.e. username/password) here: http://blog.siliconvalve.com/2013/06/25/protect-your-asp-net-web-api-using-azure-acs-service-identities/, but I need the client to authenticate via FB to identify who that client is.
In case someone else is also looking for this information, here's a sample I finally was able to obtain after contacting Microsoft Azure ACS support: http://code.msdn.microsoft.com/vstudio/AAL-Native-App-to-REST-de57f2cc