search

azure-ad-b2c / samples

Azure AD B2C custom policy solutions and samples.
844 stars 597 forks source link

Azure B2C login with MFA cross multiple sites #520

Open frankzha opened 1 year ago

frankzha commented 1 year ago

Hi

I followed this policies/mfa-email-or-phone/ to implement email-only-based MFA. We have 2 web sites (one is .net framework, the other is .net core). Both sites use the same Azure b2c tenant.

Before my MFA change, after I log in to one site by azure B2C MFA successfully, when i navigate to the other site, I don't need to enter username and password again and I am authenticated automatically.

After MFA change, after I log in to one site by azure B2C MFA successfully, when i navigate to the other site, even though it does not ask user name and password, it does request MFA verification. And the worse thing is the email field is not populated. So the user can't send verification code. It becomes a broken user experience.

My question is whether I can skip MFA step when i navigate to the other site after I log in to first site successfully via MFA? In other words, MFA should behave the same single-sign-on, that is, MFA should be prompt only if it asks the user to enter username and password. If azure b2c does not ask for username and password, I would like to skip MFA step.

Is it possible?

Worst case, after the user logs in to one site successfully, when the user navigates to another site, how can I force to show the page asking for username and password? Right now, because both sites use the same tenant, when the user navigates to the 2nd site, it does not ask for username and password.

Note: I did investigation. The following section in my custom policy is that if extension_mfaByPhoneOrEmail is email, then do this Email-Verify. can I add some conditions such that it does "Email-Verify" only if it is email and "it is not MFA verified"?

        <OrchestrationStep Order="7" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
              <Value>extension_mfaByPhoneOrEmail</Value>
              <Value>email</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="Email-Verify" TechnicalProfileReferenceId="EmailVerifyOnSignIn" />
          </ClaimsExchanges>
        </OrchestrationStep>

image

JasSuri commented 1 year ago

It sounds like session management is not setup properly in this sample, causing mfa prompt to reappear on SSO to App2. Will take a look.

stefan-helios commented 1 year ago

Any update?