Azure AD B2C Custom Policy - How can I keep the user signed-in?

Xavier Berard 96 Reputation points
2021-02-26T19:56:08.163+00:00

I've been playing with custom policies for a while now and I have still have not figured out how to keep the user signed in. I have read this documentation through and through, and everytime I get to the authentication page, I have to set back my password (https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy).

I did set the UserJourneyBehavior

I am not using oidc prompt parameter.

My application is using open id to authenticate to B2C.

My interpretation is that when B2C sees that I have the authentication cookie, it should not prompt me for my password.

Thank you!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,706 questions
0 comments No comments
{count} votes

Accepted answer
  1. Xavier Berard 96 Reputation points
    2021-03-15T18:06:01.307+00:00

    Hi amanpreetsingh-msft,

    It turns out that I did an error when adding the sms authentication support on top of my starter pack. The bug was that the session was lacking the objectId, and when I encountered that issue when importing the phone factor profiles/journeys, I created another bug on top of that that removed the UseTechnicalProfileForSessionManagement from the login technical profile.

    Sorry for that. Thanks for your help.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2021-03-01T08:42:00.267+00:00

    Hi XavierBerard-0830 · Thank you for reaching out.

    If you are not using prompt=login parameter as part of your authentication request, you will not be prompted to login until you have a valid browser session. However, when the browser session is closed, you will be required to re-login.

    To keep the user signed-in even after the browser session is closed, you would need persistent session cookie, which is stored on the disk. In order to get a persistent session cookie, you would need to Enable KMSI.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Xavier Berard 96 Reputation points
    2021-03-01T12:52:16.86+00:00

    Hello amanpreetsingh-msft,

    Yes exactly. I know that the default run user flow test button in the Azure Portal uses login=prompt and that is why I removed them from my queries. My scenario is the following:

    1. Hit a page to my application
    2. Get challenged and redirected to my custom policy Sign In flow
    3. Sign in using password
    4. Application finishes the Open Id flow, acquire the token and sets the authentication cookie.
    5. I sign out from my application (clear the authentication cookie, and don't forward anything to the IDP)

    Then when I start over within the same browser, I expect to skip Step 3. Are my assumptions correct?

    I actually see that my b2clogin.com has the follow sessions cookies, which matches what you told me about the browser session:

    • x-ms.cpim-cache
    • x-ms.cpim-trans
    • x-ms.cpim-csrf
    • x-ms.cpim-sso <-- this cookie was added after a successful login

    I also tried changing the SingleSignOn element in the relying party file (tried every values except "never")

    <RelyingParty>
      <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
      <UserJourneyBehaviors>
        <SingleSignOn Scope="Application">
    

    What else shoud I try? Anything else I need to know?

    0 comments No comments