Is it possible to attach a 3rd party IDP with an Azure AD B2B self signup flow? I am able to attach Google and FB but not an enterprise 3rd party IDP that I created.
Is it something which cannot be done?
Thanks.
You can set up direct federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol.
The allowed identity providers list:
accounts.google.com
pingidentity.com
login.pingone.com
okta.com
oktapreview.com
okta-emea.com
my.salesforce.com
federation.exostar.com
federation.exostartest.com
More details on Azure AD B2B collaboration direct federation with SAML and WS-Fed providers.
Related
I am using Azure Active Directory Business to Consumer(adb2c).
We have designed custom policies, part of Identity Experience Framework(IEF) of Azure for 2 different applications.
One application is using login policy/flow which connects to a 3rd party Identity store.
Another application is using login policy/flow which connects to a different 3rd party Identity store.
Can we achieve SSO between them?
I am trying to use DefaultSSOSessionProvider session provider to skip technical profile which actually connect to 3rd party IDP and complete the login in case of SSO scenario. Getting exceptions while doing this.
Will this be possible or is there any other approach to achieve SSO?
In order to enable SSO for different applications in Azure AD B2C you need to configure SSO at the tenant level. To be able to skip external IdP selection you need to set a TP that leverages the ExternalLoginSSOSessionProvider in the UseTechnicalProfileForSessionManagement attribute of your external IdP TP. Take a look to the following custom policy permalink for a sample.
Finally, the external IdP SSO is controlled by the IdP itself and not by B2C so if some problem arises ensure the IdP SSO is working before validating B2C SSO.
I created azure b2c custom policy using SAML flow and cannot find documentation what logout url should I use on SP side. What I see in saml policy metadata xml:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signin_saml/samlp/sso/logout"/>
it does not work with my SP (zendesk) and shows error after logout redirect: AADB2C99046: The logout request does not include a session index. I investigated saml logout request and it does not contain session index element. As I understand SAML standard documentation SessionIndex is optional.
Is there any way to fix log out functionality with SAML?
here is the answer from Microsoft support:
After analyzed your request with our technical advisors and additional
resources, we got a confirmation that for your particular setup which
is having your B2C actuate as SAML Token Provider, the SessionIndex
along with NameID is a must and needs to be provided by your Service
Provider.
I know it is hard to track what requirements usually needs the setups
in B2C by having the information spread everywhere but in Azure AD B2C
the following are the two scenarios supported:
Have Azure AD B2C acting as an IdP and achieving SSO with SAML-based Service Providers
Have Azure AD B2C acting as a service provider (SP) and interacting with SAML-based identity providers like SalesForce and ADFS.
The first scenario (1), that one you have, it requires your custom
policy to setup your SAML token issuer, along with the
SAMLSSOSessionProvider the TechnicalProfile named as SM-Saml-Issuer.
SAML session logout will not work then without your SessionIndex and
NameID attributes coming from your SP.
This is the only way to achieve a successful SAML logout call from
your Service Provider.
Let me know if you have any questions, I can then review this and
forward it to our experts if necessary.
Best regards,
_____________________________________________________ Victor J. Hernandez | Support Engineer | Azure Support
Most SPs using SAML will create their own session after you are authenticated. This session is only used by the SP that set it up. To do this, logout must do the following: delete all SP sessions.
The only truly reliable way to completely log out of SAML SSO is to delete all sessions, including identity provider sessions and all service provider sessions. Normally, this can be done simply by closing the browser.
We maintain a website that uses the built-in .NET Core / EF Identity model so all user data is in DB tables. We now have a need to support SSO into another 3rd party system which requires that we host our own IDP with support of SAML 2.0. We don't want to change our identity model or login process for our own website, we just need to return a SAML Response for a user without our website as a response to an SSO request by the 3rd party website. Our site is hosted in Azure as a Web App but we don't use Azure AD for this website which is public facing for external client employees.
Are there any recommendations to create a simple IDP that maps to our existing AspNetUsers database table to retrieve and prepare an SSO Response but doesn't impact our existing identity setup? In all likelihood, we'll have to support other SSO protocols in the future with the same implementation. Do we need to go as far as to implement IdentityServer4, making the existing web app act as both an IDP and a client app?
idsrv4 supports the EF identity model (AFAIK). If it doesn't you could always write your own plugin.
idsrv4 then becomes the IDP and will authenticate against your current DB.
idsrv4 has SAML and WS-Fed plugins to support future SSO.
Your other choice is to implement something like Auth0 that supports authentication against local DB and has full support for SAML and WS-Fed.
We have a web application. We also have a separate customer who already uses Okta to manage his employee's access to various applications. This client wants to use Okta SSO for login to our app.
We created a trial Okta account and integrated a "login with Okta" button based on documentation here for a Node/Angular App https://developer.okta.com/quickstart/#/angular/nodejs/generic
This method allows authentication for users who have an account in our Okta. However, this does not seem right as future customers would have users tied to their own accounts.
How do we solve this? Do we need to register with OIN and only then it is possible for other Okta accounts to enable SSO into our app?
You can enable self-registration for your organization and then people can create their own accounts in Okta if they don’t have one.
https://help.okta.com/en/prod/Content/Topics/Directory/Directory_Self_Service_Registration.htm
It seems to me that your customer is looking for a B2B authentication solution with your service.
To accomplish that you will need to allow a SAML inbound federation between his OKTA tenant and yours. by doing that, any user from his OKTA tenant that will log-in to your service will be created instantly at your OKTA tenant and allowed access.
OKTA have made a great tool for that called OKTA org-2-org which includes both authentication and the feature of synching data about the user from his tenant to yours.
https://saml-doc.okta.com/SAML_Docs/Configure-SAML-2.0-for-Org2Org.html
Our company maintains a Web App composed of a front-end and a back-end in (Node.js), and we support the standard username/password login authentication. A couple of our partners have requested we support SAML SSO, so their end-users can access our web app through a link on their respective portals without the need to login again.
Question: Do we need to turn our app into a full-fledged service provider (SP) by implementing a SAML sdk/library in our front-end and back-end?
Or is it possible to use a 3rd party authentication provider like Okta to handle the SAML nitty-gritty behind the scenes and then redirect the end user to our app, with possibly a token (JWT?) so we can retrieve the user info from Okta?
I've read everything I could find on Okta's site, and here, and couldn't find a definitive answer, either yes it's possible (with example) or no you can't do that.
Like you already mentioned in your question, there are 2 possible ways to do it.
Update your application to support SAML login flow with your app as SP, in which case you will not need to use any 3rd party auth provider
If you don't want to get into the SAML nitty-gritty, you can use a 3rd party provider like Okta as an intermediary that will consume the SAML responses from the IdP (used by your external customers) and then convert that assertion into an Open ID token (JWT). In this case, Okta will act as an IdP (Authorization server) to your web app and generate ID tokens.
Your app will then need to implement the Open ID connect login flow.
You can refer to http://developer.okta.com/code/javascript/okta_sign-in_widget_ref for this.