B2c Single Sign On
Note
In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in user flows.
Single sign-on (SSO) session management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a UseTechnicalProfileForSessionManagement reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.
Azure AD B2C has defined a number of SSO session providers that can be used:
| Session provider | Scope |
|---|---|
| NoopSSOSessionProvider | None |
| DefaultSSOSessionProvider | Azure AD B2C internal session manager. |
| ExternalLoginSSOSessionProvider | Between Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider. |
| OAuthSSOSessionProvider | Between an OAuth2 or OpenId connect relying party application and Azure AD B2C. |
| SamlSSOSessionProvider | Between Azure AD B2C and SAML identity provider. And between a SAML service provider (relying party application) and Azure AD B2C. |
WordPress OAuth / OpenID connect Single Sign-On plugin enables login into your WordPress site using OAuth and OpenID Connect providers like Azure AD B2C, Office 365, Microsoft and other custom. Azure B2C Single Sign On (SSO) for Your Application miniOrange provides a ready to use solution for Your application. This solution ensures that you are ready to roll out secure access to your application using.
SSO management classes are specified using the <UseTechnicalProfileForSessionManagement ReferenceId='{ID}' /> element of a technical profile.
Input claims
The InputClaims element is empty or absent.
Persisted claims
Claims that need to be returned to the application or used by preconditions in subsequent steps, should be stored in the session or augmented by a read from the user's profile in the directory. Using persisted claims ensures that your authentication journeys won't fail on missing claims. To add claims in the session, use the <PersistedClaims> element of the technical profile. When the provider is used to repopulate the session, the persisted claims are added to the claims bag.
Output claims
The <OutputClaims> is used for retrieving claims from the session.
Session providers
NoopSSOSessionProvider
As the name dictates, this provider does nothing. This provider can be used for suppressing SSO behavior for a specific technical profile. The following SM-Noop technical profile is included in the custom policy starter pack.
DefaultSSOSessionProvider
This provider can be used for storing claims in a session. This provider is typically referenced in a technical profile used for managing local and federated accounts. The following SM-AAD technical profile is included in the custom policy starter pack.
The following SM-MFA technical profile is included in the custom policy starter packSocialAndLocalAccountsWithMfa. This technical profile manages the multi-factor authentication session.
ExternalLoginSSOSessionProvider
This provider is used to suppress the 'choose identity provider' screen and sign-out from a federated identity provider. It is typically referenced in a technical profile configured for a federated identity provider, such as Facebook, or Azure Active Directory. The following SM-SocialLogin technical profile is included in the custom policy starter pack.
Metadata
Azure B2c Single Sign On
| Attribute | Required | Description |
|---|---|---|
| AlwaysFetchClaimsFromProvider | No | Not currently used, can be ignored. |
OAuthSSOSessionProvider
This provider is used for managing the Azure AD B2C sessions between a OAuth2 or OpenId Connect relying party and Azure AD B2C.
SamlSSOSessionProvider
This provider is used for managing the Azure AD B2C SAML sessions between a relying party application or a federated SAML identity provider. When using the SSO provider for storing a SAML identity provider session, the RegisterServiceProviders must be set to false. The following SM-Saml-idp technical profile is used by the SAML identity provider technical profile.
When using the provider for storing the B2C SAML session, the RegisterServiceProviders must set to true. SAML session logout requires the SessionIndex and NameID to complete.
Azure B2c Single Sign On Configuration
The following SM-Saml-issuer technical profile is used by SAML issuer technical profile
Metadata
| Attribute | Required | Description |
|---|---|---|
| IncludeSessionIndex | No | Not currently used, can be ignored. |
| RegisterServiceProviders | No | Indicates that the provider should register all SAML service providers that have been issued an assertion. Possible values: true (default), or false. |
Next steps
Learn how to configure session behavior.