Presentation is loading. Please wait.

Presentation is loading. Please wait.

A lap around Azure AD B2C custom policies

Published byพรชัย สมิท Modified over 4 years ago

Similar presentations

Presentation on theme: "A lap around Azure AD B2C custom policies"— Presentation transcript:

1 A lap around Azure AD B2C custom policies
Rory Braybrook Microsoft Identity Architect @rbrayb

2 Azure AD / Azure AD B2C Azure AD Company employees
On-premises AD synced to Azure AD via AAD Connect Domain joined address Access to Azure SaaS e.g. Microsoft 365 5 guest users per Azure AD account

3 Azure AD / Azure AD B2C Azure AD B2C Customers Not in on-premises AD
Any address – Gmail / Hotmail No access to SaaS No AAD Connect

4 Azure AD B2C Provides: Self service registration (Sign up) Sign in
Self service password reset Self service profile edit Zero help desk involvement Scales to hundreds of millions of users Priced appropriately – first 50,000 users free

5 Azure AD B2C protocols In: Open ID Connect (OAuth)
MSAL library - .NET / .NET Core / Java / iOS / Android / React / Mobile native … Out SAML 2.0 Various social providers – Facebook, Google, LinkedIn, Twitter … Custom OpenID Connect No WS-Federation currently

6 Built-in policies Demo

7 Custom policies Allow user to customise journey? Passport? Driver’s licence? ADFS 2.0 – “disaster” Identity Experience Framework (IEF) XML as code

8 Custom policies – getting started
Get started with custom policies in Azure Active Directory B2C Starter pack

9 Custom policies – getting started
Starter pack

10 Create a tenant

11 IEF – setup applications
Create application registrations in Azure AD Create applications in Azure AD B2C Setup keys Copy GUID’s in custom policy

12 IEF – custom policy upload
“Compiling” Checks against xsd Checks e.g. that declared “variables” have been defined

13 IEF Overview

14 IEF - BYOI

15 IEF Inheritance

16 Policy flow

17 Technical Profiles

18 Self-asserted TP All interactions in AAD B2C where the user is expected to provide input are self-asserted technical profiles. For example, a sign-up page, sign-in page, or password reset page. In a self-asserted technical profile, you can use the InputClaims and InputClaimsTransformations elements to prepopulate the value of the claims that appear on the self-asserted page (output claims). Output claims Collecting the output claims from the user Setting a default value in an output claim A validation technical profile returns the output claims Output the claims via output claims transformation Persisted claims Used to persist the data to Azure AD B2C.

19 Validation TP A validation technical profile is used for validating some or all of the output claims of the referencing technical profile. Claims that are returned from a validation technical profile are added back to the claims bag. You can use those claims in the next validation technical profiles.

20 Claims transformation TP
A claims transformation technical profile enables you to call output claims transformations to manipulate claims values, validate claims, or set default values for a set of output claims. Types Boolean Date Integer JSON General Social account String StringCollection

21 Claims transformation

22 Claims transformation TP - Example – Boolean
<ClaimsTransformation Id="AssertAccountEnabledIsTrue" TransformationMethod="AssertBooleanClaimIsEqualToValue"> <InputClaims> <InputClaim ClaimTypeReferenceId="accountEnabled" TransformationClaimType="inputClaim" /> </InputClaims> <InputParameters> <InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" /> </InputParameters> </ClaimsTransformation>

23 Claims transformation TP - Example – String
<ClaimsTransformation Id="ChangeToLower" TransformationMethod="ChangeCase"> <InputClaims> <InputClaim ClaimTypeReferenceId=" " TransformationClaimType="inputClaim1" /> </InputClaims> <InputParameters> <InputParameter Id="toCase" DataType="string" Value="LOWER" /> </InputParameters> <OutputClaims> <OutputClaim ClaimTypeReferenceId=" " TransformationClaimType="outputClaim" /> </OutputClaims> </ClaimsTransformation>

24 User Journeys User journeys specify explicit paths through which a policy allows a relying party application to obtain the desired claims for a user. The user is taken through these paths to retrieve the claims that are to be presented to the relying party. User journeys define the business logic of what an end user goes through as the Azure AD B2C IEF processes the request. Series of steps – can be skipped <OrchestrationStep Order="2" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>objectId</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition>

25 Relying Party This specifies the user journey to enforce for the current request to Azure Active Directory (Azure AD) B2C. It also specifies the list of claims that the relying party (RP) application needs as part of the issued token. An RP application, such as a web, mobile, or desktop application, calls the RP policy file. The RP policy file executes a specific task, such as signing in, resetting a password, or editing a profile. Multiple applications can use the same RP policy and a single application can use multiple policies. All RP applications receive the same token with claims, and the user goes through the same user journey.

26 Claims Providers A claims provider contains a set of TP.
Every claims provider must have one or more technical profiles that determine the endpoints and the protocols needed to communicate with the claims provider. A claims provider can have multiple technical profiles.

27 The flow <RelyingParty> <DefaultUserJourney ReferenceId="SignUpOrSignIn" /> <UserJourney Id="SignUpOrSignIn"> <OrchestrationStep Order="1“ ContentDefinitionReferenceId="api.signuporsignin"> TP - SelfAsserted-LocalAccountSignin- <ValidationTechnicalProfile ReferenceId="login-NonInteractive" /> TP – Order=“2“ – LocalAccountSignUpWithLogon <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogon " /> REST API TP - Order=“3“ - AAD-UserReadUsingObjectId TP - Order=“4“ – JwtIssuer Extension attributes

28 IEF demo Sign up not sign in relying party Branding
User Journey with TP Validate password using Troy Hunt’s “Pwned Password” via REST API

29 Built-in policy retrospective
Built-in policies are custom policies that can be downloaded but not uploaded

30 IEF utilities

31 Resources Get started with custom policies in Azure Active Directory B2C Gaining Expertise with Azure AD B2C course for developers GitHub utilities Azure AD B2C blog articles Tips and tricks for working with custom policies in Azure AD B2C Azure AD B2C documentation

32

Download ppt "A lap around Azure AD B2C custom policies"

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.

1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Google App Engine Google APIs OAuth Facebook Graph API

Google App Engine Google APIs OAuth Facebook Graph API
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
101 ways to authenticate with Azure Active Directory

101 ways to authenticate with Azure Active Directory
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October 2015 1.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.

Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Building consumer apps with Azure AD B2C

Building consumer apps with Azure AD B2C
Adxstudio Portals Training

Adxstudio Portals Training
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

Similar presentations

Ads by Google