tincnalaucon1972.netlify.com

So, you’re considering a single sign-on deployment using Microsoft Azure AD B2C, but how far will the out-of-the-box user flows take you, versus the more functionally rich (but harder to configure) custom polices? In this blog we explore the differences between the two (and the, surprisingly, wide range of scenarios you can address with the built-in flows).

Microsoft Azure AD B2C is a comprehensive platform for single sign-on (SSO), offering state-of-the-art security, standards-based social login, and much more.

Locate Jira OAuth/OpenID Connect Single Sign On (SSO), Jira SSO via search. Click Try free to begin a new trial or Buy now to purchase a license for OAuth/OpenID Connect (OIDC) for Jira SSO.

When you integrate an application with B2C, you normally invoke B2C user flows (also called ‘user journeys’ and ‘policies’) to take control from the application while the user completes an authentication-related experience, e.g. sign in, sign up or password reset.

1. The sample demonstrates how a single-page application can use Azure AD B2C for user sign-up and sign-in, and to call a protected web API (you enable the web API in the next tutorial in the series). MSAL.js 2.x authorization code flow sample.
2. My B2C has only local users, so no external IdP (e.g. Google, Facebooks, etc). Single sign-on works as expected and the individual logout from each website works as expected. Now I want Single Logout, i.e. When the users logout.

These user flows provide a completely custom look and feel, while running in the context of B2C and benefiting from Microsoft’s security-hardened infrastructure.

(NB: All information is correct at time of writing in February 2019, but may change over time.)

Ready-made or truly tailored?

User flows come in two flavours:

Capabilities of built-in flows

Although limited, built-in flows provide a fully-customisable (in terms of look and feel) end-to-end experience which will suit many use cases.

Types of flow available are:

As the screenshot from the Azure Portal shows below, using the Portal you can edit various aspects of built-in flows, including choice of identity providers, attributes collected and passed to the application, and page layouts.

Connecting your application to B2C to run a flow or policy is the same in both cases, and requires very few lines of code (apart from the supplied code libraries). You can work in a number of languages on the application side. In the case of C#.Net, Microsoft provides a sample application on their website. You can use this as a basis for your application, if you’re starting from scratch. More often, organisations will cannibalise this sample app and make use of the code libraries.

Making changes to the look and feel is one of the simplest changes you can make. The template selection looks as follows – as you can see, the admin user has a drop down selection:

Once you have made your selection, you can run the policy to see your change. Here’s the “ocean blue”:

…and here’s the “slate gray”:

…but of course you can fully customise the page look and feel using your own HTML, CSS and JavaScript.

Capabilities of custom policies

Custom polices are programmable, so in theory offer unlimited options for customisation of not only the user interface but the logic employed in the authentication experience.

Here are some examples of what you can achieve with custom policies (in addition to all of the above types of built-in flows):

Editing a custom policy isn’t easy. They do not have the same point-and-click interface as the built-in flows; logic is created by building XML into a custom policy XML document, which is then uploaded into the Azure Portal.

However, using the concept of “Journey Steps”, you can add any number of steps (for example, if you wanted to capture the user’s acceptance of your terms of service before they finish registering, you can do that).

This gives you a flexible authentication experience within the secure framework of Microsoft’s B2C service.

Conclusion

Built-in flows offer entry-level functionality, but can present an equivalent experience to custom policies in terms of look and feel, and can therefore provide an industrial-strength ‘minimum viable product’ with all the benefits of single sign-on and world-beating security measures.

For organisations contemplating more complex authentication journeys, it helps to start with custom policies, as these can then be enhanced as requirements become more complex.

To find out more about Azure AD B2C, download our free e-Guide to delve into its security benefits.

-->

Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C offers two methods of defining how users interact with your applications: though predefined user flows, or through fully configurable custom policies. The steps required in this article are different for each method.

Single sign-on (SSO) adds security and convenience when users sign in across applications in Azure Active Directory B2C (Azure AD B2C). This article describes the single sign-on methods used in Azure AD B2C and helps you choose the most appropriate SSO method when configuring your policy.

With single sign-on, users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or single page application, regardless of platform or domain name.

When the user initially signs in to an application, Azure AD B2C persists a cookie-based session. Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session, and issues an access token without prompting the user to sign in again. If the cookie-based session expires or becomes invalid, the user is prompted to sign-in again.

Prerequisites

• Create a user flow to enable users to sign up and sign in to your application.
• If you haven't already done so, register a web application, and enable ID token implicit grant.

• Complete the steps in the Get started with custom policies in Active Directory B2C.
• If you haven't already done so, register a web application, and enable ID token implicit grant.

Azure AD B2C session overview

Integration with Azure AD B2C involves three types of SSO sessions:

• Azure AD B2C - Session managed by Azure AD B2C
• Federated identity provider - Session managed by the identity provider, for example Facebook, Salesforce, or Microsoft account
• Application - Session managed by the web, mobile, or single page application

Azure AD B2C session

When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.com.

If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.

You can configure the session behavior, including the session TTL and how Azure AD B2C shares the session across policies and applications.

Federated identity provider session

A social or enterprise identity provider manages its own session. The cookie is stored under the identity provider's domain name, such as https://login.salesforce.com. Azure AD B2C doesn't control the federated identity provider session. Instead, session behavior is determined by the federated identity provider.

Consider the following scenario:

1. A user signs into Facebook to check their feed.
2. Later, the user opens your application and starts the sign-in process. The application redirects the user to Azure AD B2C to complete the sign-in process.
3. On the Azure AD B2C sign-up or sign-in page, the user chooses to sign-in with their Facebook account. The user is redirected to Facebook. If there is an active session at Facebook, the user is not prompted to provide their credentials and is immediately redirected to Azure AD B2C with a Facebook token.

Application session

A web, mobile, or single page application can be protected by OAuth access, ID tokens, or SAML tokens. When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to Azure AD B2C to sign-in page.

The application session can be a cookie-based session stored under the application domain name, such as https://contoso.com. Mobile applications might store the session in a different way but using a similar approach.

Configure Azure AD B2C session behavior

You can configure the Azure AD B2C session behavior, including:

• Web app session lifetime (minutes) - The amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. You can set the session life time to a value from 15 to 720 minutes.

• Web app session timeout - Indicates how a session is extended by the session life time setting or the keep me signed-in setting.

  • Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default).
  • Absolute - Indicates that the user is forced to re-authenticate after the time period specified.

• Single sign-on configuration - The Azure AD B2C session can be configured with the following scopes:

  • Tenant - This setting is the default. Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one upon accessing it.
  • Application - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign in to Contoso Pharmacy regardless of whether the user is already signed into Contoso Groceries.
  • Policy - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
  • Disabled - This setting forces the user to run through the entire user flow upon every execution of the policy.

• Keep me signed-in - extends the session life time through the use of a persistent cookie. The session remains active after the user closes and reopens the browser. The session is revoked only when a user signs out. The Keep me signed-in feature only applies to sign-in with local accounts. The Keep me signed-in feature takes precedence over the session life time. If the Keep me signed-in feature is enabled and the user selects it, this feature dictates when the session will expire.

To configure the session behavior:

1. Sign in to the Azure portal.
2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
4. Select User flows.
5. Open the user flow that you previously created.
6. Select Properties.
7. Configure Web app session lifetime (minutes), Web app session timeout, Single sign-on configuration, and Require ID Token in logout requests as needed.
8. Click Save.

To change your session behavior and SSO configurations, you add a UserJourneyBehaviors element inside of the RelyingParty element. The UserJourneyBehaviors element must immediately follow the DefaultUserJourney. Your UserJourneyBehavors element should look like this example:

Enable Keep me signed in (KMSI)

You can enable Keep Me Signed In functionality for users of your web and native applications that have local accounts in your Azure Active Directory B2C (Azure AD B2C) directory. This feature grants access to users returning to your application without prompting them to reenter their username and password. This access is revoked when a user signs out.

Users should not enable this option on public computers.

Configure the page identifier

To enable KMSI, set the content definition DataUri element to page identifierunifiedssp and page version1.1.0 or above.

1. Open the extension file of your policy. For example, SocialAndLocalAccounts/TrustFrameworkExtensions.xml. This extension file is one of the policy files included in the custom policy starter pack, which you should have obtained in the prerequisite, Get started with custom policies.

2. Search for the BuildingBlocks element. If the element doesn't exist, add it.

3. Add the ContentDefinitions element to the BuildingBlocks element of the policy.

   Your custom policy should look like the following code snippet:

Add the metadata to the self-asserted technical profile

To add the KMSI checkbox to the sign-up and sign-in page, set the setting.enableRememberMe metadata to true. Override the SelfAsserted-LocalAccountSignin-Email technical profiles in the extension file.

1. Find the ClaimsProviders element. If the element doesn't exist, add it.
2. Add the following claims provider to the ClaimsProviders element:

1. Save the extensions file.

Configure a relying party file

Update the relying party (RP) file that initiates the user journey that you created.

1. Open your custom policy file. For example, SignUpOrSignin.xml.

2. If it doesn't already exist, add a <UserJourneyBehaviors> child node to the <RelyingParty> node. It must be located immediately after <DefaultUserJourney ReferenceId='User journey Id' />, for example: <DefaultUserJourney ReferenceId='SignUpOrSignIn' />.

3. Add the following node as a child of the <UserJourneyBehaviors> element.

We recommend that you set the value of SessionExpiryInSeconds to be a short period (1200 seconds), while the value of KeepAliveInDays can be set to a relatively long period (30 days), as shown in the following example:

Sign-out

When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

Upon a sign-out request, Azure AD B2C:

Azure B2c Single Sign On Configuration

1. Invalidates the Azure AD B2C cookie-based session.

2. Attempts to sign out from federated identity providers

3. Attempts to sign out from federated identity providers:
   • OpenId Connect - If the identity provider well-known configuration endpoint specifies an end_session_endpoint location.
   • OAuth2 - If the identity provider metadata contains the end_session_endpoint location.
   • SAML - If the identity provider metadata contains the SingleLogoutService location.
4. Optionally, signs-out from other applications. For more information, see the Single sign-out section.

Note

You can disable the sign out from federated identity providers, by setting the identity provider technical profile metadata SingleLogoutEnabled to false.

The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. If the user selects the same identity provider during a subsequent sign-in, they might reauthenticate without entering their credentials. If a user wants to sign out of the application, it doesn't necessarily mean they want to sign out of their Facebook account. However, if local accounts are used, the user's session ends properly.

B2c Single Sign On

Single sign-out

When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

B2c Single Sign Online

To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:

• The protocol name, such as <Protocol Name='OpenIdConnect' />
• The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId='SM-OAuth-issuer' />.

The following example illustrates the JWT and SAML token issuers with single sign-out:

Secure your logout redirect

After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the reply URLs that have been specified for the application. However, if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirect URIs before performing the redirect. If no matching reply URL was configured for the application, an error message is displayed and the user is not redirected.

To require an ID Token in logout requests:

1. Sign in to the Azure portal.
2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
4. Select User flows.
5. Open the user flow that you previously created.
6. Select Properties.
7. Enable the Require ID Token in logout requests.
8. Go back to Azure AD B2C.
9. Select App registrations, and then select your application.
10. Select Authentication.
11. In the Logout URL text box, type your post logout redirect URI, and then select Save.

To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the RelyingParty element. Then set the EnforceIdTokenHintOnLogout of the SingleSignOn element to true. Your UserJourneyBehaviors element should look like this example:

To configure your application Logout URL:

1. Sign in to the Azure portal.
2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the Directory + subscription filter in the top menu and choosing the directory that contains your Azure AD B2C tenant.
3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
4. Select App registrations, and then select your application.
5. Select Authentication.
6. In the Logout URL text box, type your post logout redirect URI, and then select Save.

Next steps

• Learn how to configure tokens in Azure AD B2C.