3/22/2022

B2c Single Sign On

B2c Single Sign On Rating: 3,5/5 6214 votes
-->

Note

In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in user flows.

Single sign-on (SSO) session management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a UseTechnicalProfileForSessionManagement reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.

Azure AD B2C has defined a number of SSO session providers that can be used:

Session providerScope
NoopSSOSessionProviderNone
DefaultSSOSessionProviderAzure AD B2C internal session manager.
ExternalLoginSSOSessionProviderBetween Azure AD B2C and OAuth1, OAuth2, or OpenId Connect identity provider.
OAuthSSOSessionProviderBetween an OAuth2 or OpenId connect relying party application and Azure AD B2C.
SamlSSOSessionProviderBetween Azure AD B2C and SAML identity provider. And between a SAML service provider (relying party application) and Azure AD B2C.

WordPress OAuth / OpenID connect Single Sign-On plugin enables login into your WordPress site using OAuth and OpenID Connect providers like Azure AD B2C, Office 365, Microsoft and other custom. Azure B2C Single Sign On (SSO) for Your Application miniOrange provides a ready to use solution for Your application. This solution ensures that you are ready to roll out secure access to your application using.

SSO management classes are specified using the <UseTechnicalProfileForSessionManagement ReferenceId='{ID}' /> element of a technical profile.

Input claims

The InputClaims element is empty or absent.

Persisted claims

Claims that need to be returned to the application or used by preconditions in subsequent steps, should be stored in the session or augmented by a read from the user's profile in the directory. Using persisted claims ensures that your authentication journeys won't fail on missing claims. To add claims in the session, use the <PersistedClaims> element of the technical profile. When the provider is used to repopulate the session, the persisted claims are added to the claims bag.

Output claims

The <OutputClaims> is used for retrieving claims from the session.

Session providers

NoopSSOSessionProvider

As the name dictates, this provider does nothing. This provider can be used for suppressing SSO behavior for a specific technical profile. The following SM-Noop technical profile is included in the custom policy starter pack.

DefaultSSOSessionProvider

This provider can be used for storing claims in a session. This provider is typically referenced in a technical profile used for managing local and federated accounts. The following SM-AAD technical profile is included in the custom policy starter pack.

The following SM-MFA technical profile is included in the custom policy starter packSocialAndLocalAccountsWithMfa. This technical profile manages the multi-factor authentication session.

ExternalLoginSSOSessionProvider

This provider is used to suppress the 'choose identity provider' screen and sign-out from a federated identity provider. It is typically referenced in a technical profile configured for a federated identity provider, such as Facebook, or Azure Active Directory. The following SM-SocialLogin technical profile is included in the custom policy starter pack.

Metadata

B2c single sign on yahoo

Azure B2c Single Sign On

AttributeRequiredDescription
AlwaysFetchClaimsFromProviderNoNot currently used, can be ignored.

OAuthSSOSessionProvider

This provider is used for managing the Azure AD B2C sessions between a OAuth2 or OpenId Connect relying party and Azure AD B2C.

SamlSSOSessionProvider

This provider is used for managing the Azure AD B2C SAML sessions between a relying party application or a federated SAML identity provider. When using the SSO provider for storing a SAML identity provider session, the RegisterServiceProviders must be set to false. The following SM-Saml-idp technical profile is used by the SAML identity provider technical profile.

Single

When using the provider for storing the B2C SAML session, the RegisterServiceProviders must set to true. SAML session logout requires the SessionIndex and NameID to complete.

Azure B2c Single Sign On Configuration

The following SM-Saml-issuer technical profile is used by SAML issuer technical profile

Metadata

B2c
AttributeRequiredDescription
IncludeSessionIndexNoNot currently used, can be ignored.
RegisterServiceProvidersNoIndicates that the provider should register all SAML service providers that have been issued an assertion. Possible values: true (default), or false.

Next steps

Learn how to configure session behavior.