Azure AD B2C Integration SSO on multiple B2C apps without prompt/redirection

Question

Azure AD B2C Integration SSO on multiple B2C apps without prompt/redirection

Patil, Sagar 31

Hi Team,

We would like to understand how azure B2c can be configured for SSO
if application [A] abc.domain.com
and [B] xyx.domain.com are configured under same tenant

application [A] is using custom policies for Sign in and Sign up and using MSAL.js library to get id token etc with azure B2C
application [B} using out of box user flows for Sign in and using open source angular library for triggering Oauth flow
with azure B2C
library url - https://github.com/manfredsteyer/angular-oauth2-oidc

Both applications will have interactive Sign in page to get users email and password.
Expectation is azure B2C will just handle SSO out of box with default seettings. i.e. if user logs in any of application A or B then
user will not be prompted if they are in same browser session or new tabs or opens application in new browser window (same browser)

we know out of box Azure B2C has SSO configured on tenant level. So do we have to do anything specific to achieve
above result of SSO?

also both applications are storing their Id token in different cookies strongly typed to their own domain because they are using different client side libraries but does this impact azure B2C SSO behavior ?

We couldn't find anything specific on how azure B2C SSO works in detail across tenant apart from below link. which wasn't much helpful about what needs to be done if everything is configured out of box?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow

Cheers
Sagar

Patil, Sagar 31 Reputation points

2022-10-17T19:26:14.397+00:00

@Shweta Mathur , @James Hamil let me know if you could help

Accepted answer

1 additional answer

Your answer

Patil, Sagar 31 Reputation points

2022-10-17T19:26:14.397+00:00

@Shweta Mathur , @James Hamil let me know if you could help

Answer 1

Akshay-MSFT 17,951 Microsoft Employee Moderator

Hello @Patil, Sagar ,

For configuring tenant wide SSO via user flow https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow#configure-the-user-flow have "SSO Configuration" set to "Tenant" and "Enable keep me signed in session" to "Yes"

For Custom policy as per https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-the-custom-policy in SignUpOrSignin.xml Change the value of the Scope attribute to "Tenant" Application, or Policy. As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions#cookies, the cookie "x-ms-cpim-sso:{Id}" must be set"persistent" to Enable Keep me signed in.

However, SSO will not work by mixing userflows and custom policies. It is because the custom policy is using different technical profile names, or session management names compared to the user flow behind the scenes.

Do let me know if you have any queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer" and "Upvote" if the above-mentioned suggestion works as per your business need. This will help us and others in the community as well.

Patil, Sagar 31 Reputation points

2022-10-18T18:10:43.767+00:00
Hi @Akshay-MSFT ,

Thanks for your answer. As you suggested below configuration is set already

"SSO Configuration" set to "Tenant"
"Enable keep me signed in session" to "Yes"

and cookie you mentioned is created by azure b2c and i believe is always set to persistent by azure b2c
and we don't have control over it programmatically.

with all of above set, our application is still showing custom login screen on
xyz.domain.com if user is authenticated on abc.domain.com .

xyz.domain.com is angular application which is using OIDC certified library below
https://manfredsteyer.github.io/angular-oauth2-oidc/docs/index.html
which always stores its id token cookies in local storage or session cookie. but when that token doesn't exist (anonmymous) in cookie then user is considered anonymous.

In this case

how azure b2c understands this application is under same tenant and

how it can create valid authenticated session without xyx.domain.com taking inputs from user like user email?
and if its possible , is there any code we need to run on each page to fetch all authenticated session from azure b2C and hide login form?

Cheers,
Sagar
Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2022-10-21T07:52:42.413+00:00

Hello @Patil, Sagar ,

Thanks for your response. I am checking this internally. Will keep you posted with updates.

Thanks,
Akshay Kaushik

Answer 2

Patil, Sagar 31

Hi @Akshay-MSFT ,

I saw you updated original answer with below text -

However, SSO will not work by mixing user flows and custom policies. It is because the custom policy is using different technical profile names, or session management names compared to the user flow behind the scenes.

Could you please elaborate more on this?
application B is using azure B2C pre defined user flows from portal but application A is using custom profiles
which are almost same as default journeys with very small UI tweaks.
and we have ensured to edit XML to add Tenant level SSO . see below for SignInPasswordReset profile

<RelyingParty>
<DefaultUserJourney ReferenceId="SignInPasswordReset" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="7"/>
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
<JourneyFraming Enabled="true" Sources="https://weu-dev-abcd-xyz.azurewebsites.net https://localhost:3000 https://localhost https://abcdc.dev.local" />
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
BASIC CLAIM CONFIGURATIONS
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

Ghina 0 Reputation points

2024-10-07T13:13:26.2733333+00:00

Hi Patil,

I know its been a while, but I am having the same case and just checking if you were able to resolve it.
Patil, Sagar 31 Reputation points

2024-10-08T09:02:48.6733333+00:00

Hi @Ghina - Yes I was able to make this work with SSO setting on Tenant level
<SingleSignOn Scope="Tenant" KeepAliveInDays="7"/>
Ensure both applications are part of same B2C tenant and then they will both share same session. You can test this by calling silent login JS API on client side using MSAL library . If there is active session for same account then other application will automatically does user login provided you run silent login script before page renders. and user account id (e.g. email) are same
Ghina 0 Reputation points

2024-10-08T12:14:34.6133333+00:00

Hi Patil,

Thank you for your quick response. I already have implemented the below:
<SingleSignOn Scope="Tenant"> on custom policy
SSO Configuration: Tenant on user flows

I have those application setup:
Application A uses Custom Policy
Application B uses User Flows**

All under the same Tenant**

Scenario that is happening:
When the user signs-up using (custom IDP/social IDP) in Application A. Then when the user goes to Application B the user is prompted to sign up again instead of signing in.

Appreciate if you have any insight on this, we have API calls on user signup so it is causing issues because of the duplicates.

Share via

Azure AD B2C Integration SSO on multiple B2C apps without prompt/redirection

1 additional answer

Your answer