So, you’re considering a single sign-on deployment using Microsoft Azure AD B2C, but how far will the out-of-the-box user flows take you, versus the more functionally rich (but harder to configure) custom polices? In this blog we explore the differences between the two (and the, surprisingly, wide range of scenarios you can address with the built-in flows).
Microsoft Azure AD B2C is a comprehensive platform for single sign-on (SSO), offering state-of-the-art security, standards-based social login, and much more.
Locate Jira OAuth/OpenID Connect Single Sign On (SSO), Jira SSO via search. Click Try free to begin a new trial or Buy now to purchase a license for OAuth/OpenID Connect (OIDC) for Jira SSO.
When you integrate an application with B2C, you normally invoke B2C user flows (also called ‘user journeys’ and ‘policies’) to take control from the application while the user completes an authentication-related experience, e.g. sign in, sign up or password reset.
These user flows provide a completely custom look and feel, while running in the context of B2C and benefiting from Microsoft’s security-hardened infrastructure.
(NB: All information is correct at time of writing in February 2019, but may change over time.)
User flows come in two flavours:
Although limited, built-in flows provide a fully-customisable (in terms of look and feel) end-to-end experience which will suit many use cases.
Types of flow available are:
As the screenshot from the Azure Portal shows below, using the Portal you can edit various aspects of built-in flows, including choice of identity providers, attributes collected and passed to the application, and page layouts.
Connecting your application to B2C to run a flow or policy is the same in both cases, and requires very few lines of code (apart from the supplied code libraries). You can work in a number of languages on the application side. In the case of C#.Net, Microsoft provides a sample application on their website. You can use this as a basis for your application, if you’re starting from scratch. More often, organisations will cannibalise this sample app and make use of the code libraries.
Making changes to the look and feel is one of the simplest changes you can make. The template selection looks as follows – as you can see, the admin user has a drop down selection:
Once you have made your selection, you can run the policy to see your change. Here’s the “ocean blue”:
…and here’s the “slate gray”:
…but of course you can fully customise the page look and feel using your own HTML, CSS and JavaScript.
Custom polices are programmable, so in theory offer unlimited options for customisation of not only the user interface but the logic employed in the authentication experience.
Here are some examples of what you can achieve with custom policies (in addition to all of the above types of built-in flows):
Editing a custom policy isn’t easy. They do not have the same point-and-click interface as the built-in flows; logic is created by building XML into a custom policy XML document, which is then uploaded into the Azure Portal.
However, using the concept of “Journey Steps”, you can add any number of steps (for example, if you wanted to capture the user’s acceptance of your terms of service before they finish registering, you can do that).
This gives you a flexible authentication experience within the secure framework of Microsoft’s B2C service.
Built-in flows offer entry-level functionality, but can present an equivalent experience to custom policies in terms of look and feel, and can therefore provide an industrial-strength ‘minimum viable product’ with all the benefits of single sign-on and world-beating security measures.
For organisations contemplating more complex authentication journeys, it helps to start with custom policies, as these can then be enhanced as requirements become more complex.
To find out more about Azure AD B2C, download our free e-Guide to delve into its security benefits.
-->Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C offers two methods of defining how users interact with your applications: though predefined user flows, or through fully configurable custom policies. The steps required in this article are different for each method.
Single sign-on (SSO) adds security and convenience when users sign in across applications in Azure Active Directory B2C (Azure AD B2C). This article describes the single sign-on methods used in Azure AD B2C and helps you choose the most appropriate SSO method when configuring your policy.
With single sign-on, users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or single page application, regardless of platform or domain name.
When the user initially signs in to an application, Azure AD B2C persists a cookie-based session. Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again.
Integration with Azure AD B2C involves three types of SSO sessions:
When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.com
.
If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.
You can configure the session behavior, including the session TTL and how Azure AD B2C shares the session across policies and applications.
A social or enterprise identity provider manages its own session. The cookie is stored under the identity provider's domain name, such as https://login.salesforce.com
. Azure AD B2C doesn't control the federated identity provider session. Instead, session behavior is determined by the federated identity provider.
Consider the following scenario:
A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.
The application session can be a cookie-based session stored under the application domain name, such as https://contoso.com
. Mobile applications might store the session in a different way but using a similar approach.
You can configure the Azure AD B2C session behavior, including:
Web app session lifetime (minutes) - The amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. You can set the session life time to a value from 15 to 720 minutes.
Web app session timeout - Indicates how a session is extended by the session life time setting or the keep me signed-in setting.
Single sign-on configuration - The Azure AD B2C session can be configured with the following scopes:
To configure the session behavior:
To change your session behavior and SSO configurations, you add a UserJourneyBehaviors element inside of the RelyingParty element. The UserJourneyBehaviors element must immediately follow the DefaultUserJourney. Your UserJourneyBehavors element should look like this example:
You can enable Keep Me Signed In functionality for users of your web and native applications that have local accounts in your Azure Active Directory B2C (Azure AD B2C) directory. This feature grants access to users returning to your application without prompting them to reenter their username and password. This access is revoked when a user signs out.
Users should not enable this option on public computers.
To enable KMSI, set the content definition DataUri
element to page identifierunifiedssp
and page version1.1.0 or above.
Open the extension file of your policy. For example, SocialAndLocalAccounts/
TrustFrameworkExtensions.xml
. This extension file is one of the policy files included in the custom policy starter pack, which you should have obtained in the prerequisite, Get started with custom policies.
Search for the BuildingBlocks element. If the element doesn't exist, add it.
Add the ContentDefinitions element to the BuildingBlocks element of the policy.
Your custom policy should look like the following code snippet:
To add the KMSI checkbox to the sign-up and sign-in page, set the setting.enableRememberMe
metadata to true. Override the SelfAsserted-LocalAccountSignin-Email technical profiles in the extension file.
Update the relying party (RP) file that initiates the user journey that you created.
Open your custom policy file. For example, SignUpOrSignin.xml.
If it doesn't already exist, add a <UserJourneyBehaviors>
child node to the <RelyingParty>
node. It must be located immediately after <DefaultUserJourney ReferenceId='User journey Id' />
, for example: <DefaultUserJourney ReferenceId='SignUpOrSignIn' />
.
Add the following node as a child of the <UserJourneyBehaviors>
element.
We recommend that you set the value of SessionExpiryInSeconds to be a short period (1200 seconds), while the value of KeepAliveInDays can be set to a relatively long period (30 days), as shown in the following example:
When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.
Upon a sign-out request, Azure AD B2C:
end_session_endpoint
location.end_session_endpoint
location.SingleLogoutService
location.Note
You can disable the sign out from federated identity providers, by setting the identity provider technical profile metadata SingleLogoutEnabled
to false
.
The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl
of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200
response. If you want to support single sign-out in your application, you must implement a LogoutUrl
in your application's code.
To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:
<Protocol Name='OpenIdConnect' />
UseTechnicalProfileForSessionManagement ReferenceId='SM-OAuth-issuer' />
.The following example illustrates the JWT and SAML token issuers with single sign-out:
After logout, the user is redirected to the URI specified in the post_logout_redirect_uri
parameter, regardless of the reply URLs that have been specified for the application. However, if a valid id_token_hint
is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri
matches one of the application's configured redirect URIs before performing the redirect. If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected.
To require an ID Token in logout requests:
To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the RelyingParty element. Then set the EnforceIdTokenHintOnLogout of the SingleSignOn element to true
. Your UserJourneyBehaviors element should look like this example:
To configure your application Logout URL: