Closed monty-dev closed 7 years ago
@rojasja for awareness
We do not support multi-tenant apps or the /common endpoint. I would recommend requesting the feature here to help us prioritize it.
According to this: active-directory-b2c-advanced-policies/Walkthroughs/IdP-AzureAD.md
it is supported. However when I set it up, i get an error: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
although the reply URLs have been configured and set to:
https://login.microsoftonline.com/(B2Ctenant).onmicrosoft.com and https://login.microsoftonline.com/te/(B2Ctenant).onmicrosoft.com/oauth2/authresp
I also want to emphasize that this was working last Friday (15th of September 2017). I didn't change custom policy configuration at all and it didn't work anymore on Monday.
May I have an official confirmation that MultiTenant B2C custom policy still can't be configured or any hint about this error?
@tomidix we have been using multi-tenant auth for a while now and it does work. Perhaps share the configuration of your technical profile
@monteledwards here is the whole ClaimsProvider, App to which TechnicalProfile is referenced is created on portal.azure.com -> AD B2C -> Applications (not on identity.microsoft.com nor apps.dev.microsoft.com; I tried applications from there too but they didn't work either). The process of login starts normally, user logins ok, on a first run user consent is invoked, and after that there is an error which I mentioned in previous post.
<ClaimsProvider>
<Domain>MultiTenant</Domain>
<DisplayName>Login using Azure AD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MultiTenantProfile">
<DisplayName>AzureADAccount</DisplayName>
<Description>Organizational or Microsoft Account</Description>
<Protocol Name="OpenIdConnect"/>
<OutputTokenFormat>JWT</OutputTokenFormat>
<Metadata>
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
<Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
<Item Key="client_id">{AppID}</Item>
<!-- AppID from B2C tenant's WebApp Application -->
<Item Key="IdTokenAudience">{AppID}</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid profile</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_MultiTenantSignInKey"/>
<!-- AppSecret from B2C tenant's WebApp Application, saved to policy keys in Azure -->
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
The application that is to be configured in your technical profile needs to be registered as a regular AAD application. I recommend you start over using the guide here https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
Verify that you can sign in to your own tenant, and then switch the configuration over to multi-tenant by enabling the app to be multi-tenant, and then update your TP configuration
I did that before and got an error: AADSTS70001: Application 'AppId' is not supported for this API version. I didn't try at all to use MultiTenant v1 for TP config because we have to use MSAL, so only v2 plays a role for us. Do you use MultiTenant v1 or v2? Now I tried to create new, converged (v2) app in the regular Azure AD of my regular tenant (not b2c tenant) but it finished with the same error as before: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
Verify that you can sign in to your own tenant...
I can do that, this works and I have no problem with this step. Only the multi-tenant doesn't work.
Thanks for your help!
This error:
AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'
Is a bug on the AAD side that hides the real error which is that your reply URLs don't match. I would double check that the reply URL on the AAD side (the v1 multi-tenant app, not the B2C app).
Also, double check that you are setting:
<Item Key="UsePolicyInRedirectUri">false</Item>
Thanks for the answer. I've managed to make it work. Yes, you are right. It needs to have UsePolicyInRedirectUri set to false. I didn't change my reply urls so I think that the mentioned error is shown where the reply url has nothing in common with the error and does not cause it.
I am using custom policy which is integrated with B2B and B2C as per link https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom. I am able to get the username and email from B2B users after adding
in relying party but not able to get the all the user details for B2C users.
Azure AD id_tokens will not return the email address. To do so, you need to query the graph API. I wrote a guide to this here. http://email.monteledwards.com/c/eJxFUE1vgzAM_TVwS-UESMiBQ4fWw7qpUvcl7eYkDkSiwFK6qv31S7vDLOtZfs96lu0aQqyUykPTrp-_w_vntWvjuR1Hha_ALqWVL-x4br92H3572r_vFlZd3kR8fPrZ7tdZCQcMw6q7o50Oed8Yh-B0CZI7U0gBmspa8kIIqwpjsMqHpl-W-ZgV60xsUh6mcaGB3BmjO95MEieAq1Q43KBOgCwJ80ALsZDGu4hLmEaG11Mkho4ZYf-bpM49wzmwYepCEua0Tmzy2ESah0smHoCjpKquQdRUWdKKsPTGcWUseqmxrpSAQgv0wnLnSy2sh7_gXIIh7xKHXGpLQIDeGUjPuNuvurD0J3O75BemTW2U
On Sat, Oct 28, 2017 at 2:12 AM nileshanchan notifications@github.com wrote:
I am using custom policy which is integrated with B2B and B2C as per link http://email.monteledwards.com/c/eJx1kM1qwzAQhJ_GvslIa8myDz6kpj00LYH0D3pbraREEMepLCc4T18nPXdYZuA7DOzY1iEqrfPQdquXn_Dxdd118dIdjxrfOJslVa9svHTfm0-_nrYfm8TU_A7x8fm83q4yyXsMh2J3dxr6fN8KAWAkKiiVLgGk9ISgoSRQhjS3-aHdp3Qas3KVwdNydqCx6APFYRx8urUs0B3ZNC6J1ym6W1IKZ8dsiI7SEGdmgP7BbHRpOjFEy2ga09AXeWyjOx3mDB64wMqpuuZQO0Wu0Q6lN1ZoQ-irBmulgZcNoAcS1ssGyPM_CVFx47xdGIqqIccdR28NX1a41xe7kPaTuX3wC5xLbPw I am able to get the username and email from B2B users after adding
in relying party but not able to get the all the user details for B2C users.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub http://email.monteledwards.com/c/eJxFkE1vgzAMhn8N3FLli0AOHBjaDuumSu26Sb05idNGAsoCtKK_fowdZlmWH8vvK9muRIAsz9NQ1tXbdzh-Pc51vNddl8OBklla9U6Ge33affrttD_uRpLNHzw-v962-yqRtIXQbM5rtdc2vZTOCBQIwlBNpRRacAFUekSrWIEO06a8jGM_JKJK-MuS5zBeJvOrXqB6TBHJAdq-wWFhsGO4IXEhoh2vcSaGWwLuBp1FR_prE2xYF8MwTGtTJFyssBi22I1ESMoyniuWxjJi38wJf6IMFGZFQXmBmUWdI0hvHMuNBa80FFnOqdAcPLfMeam59fQvGFPUoHfLDJjSFilS8M7Q5Rmr_eb_oB8Wl27h, or mute the thread http://email.monteledwards.com/c/eJxFUMtugzAQ_Bq4ERnH2PjAgaK0VR5NlJY0yW39AqcEUmwapV9fmh66Wq00I81oZ1SmARLGQpsV-fLTlu_fVdFfi7Zl8IqiG5F0FblrcVzvzGLYlmsfJbc33M_mX4ttHhB0BttMqvuV3TmsMxQrJKgwVKcpYYrrKUgDXAHjAMTwsMlq7y8umOYBfhy3sr4exK96BG3nrbESvO1aN-KhdYNwsrdCRzD4eqRyEI2dHRbLV-kP8vS82jzJTUnXXbXbk5OXHy5xV78pK5hfjivyQtxehH3W60tzC_ADioHqJE0RTnUiNWd6_EqomAkJhnJIE4bRlGMwWMbKEI6lQX8TxxQJbdTIQUy51EgjMEqgsYe7_eQ_yw_qFG7l .
-- Sent from Gmail Mobile
@parakhj is the multi-tenant scenario still not available in B2C?
I am trying to use Azure AD auth in b2c using the /common Azure AD enpoint. According to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#update-your-code-to-handle-multiple-issuer-values, there needs to be a mechanism to either 1.) Allow multiple issuers, or 2.) Specify a list of issuers b2c can validate against. I do not see any possible setting in the custom policies XML that would allow this. I was able to get Azure AD auth created sucessfully, just not multi-tenant now.